It definitely pays to be prepared when using public internet cafes, be it with your own browsing installation on a USB drive, OTP for your favorite online applications or just common sense.

Unfortunately for most people that’s all too much effort. Trouble then strikes later sometimes….

Anyway – always have a save and great trip!

;-)

It’s not an alternative solution, of course.

I am not sure what you mean “on all levels”, but at least they do not leave reusable information on a public computer after the session is finished…

By the way, why is it that the user’s password can not be a one-way function of his passphrase? And why those disposable logins have exactly the length they have?

Apologies again if I seem overly critical and inquisitive. Maybe I am too annoying and I should stop here…

You seem very passionate about the subject, and I’m sure that you have an alternative solution in mind. Would you please tell me what it is?

I think that “protection against keyloggers” is not sufficient, because other spyware (spyware that is *not* a keylogger) can still copy the password.

Imagine some malicious software (spyware) that captures all the traffic that leaves the public computer, just before it gets encrypted (e.g. by SSL – if it gets encrypted at all), and that stores the captured traffic in a hidden file. Every midnight the spyware emails this file to a hacker somewhere.

This is a very general approach – and it will get hold of all passpack-protected passwords, no matter if the user used disposable logins or not, and no matter if the user used some fancy auto-login button or not. The passwords are in the HTTP requests (traffic) that leave the computer.

Is it possible to “check” the public computer in order to avoid exposure to this (type of) threat? The answer is “no” – if the spyware is hidden well enough (and we have to assume that it is), then it will not show up, no matter “where” and “how hard” we look.

My only tip is “do not divulge the password to the public computer.”

And “Passpack disposable logins do not hide the password from the public computer”. – I still think you should clarify this last point more clearly generally on the passpack website. At least you should more clearly point out the limits of the protection offered by passpack disposable logins.

Apologies if I seem to be overly critical.

All kidding aside, checking the processes for anything suspicious lookimg is a great tip.

As for Passpack Disposable Logins, you are right – they do protect against Keyloggers on your way into your Passpack account, thus protecting your Passpack credentials. Each individual website credential (passwords) is protected against keyloggers by using the travel auto-login button(it doesn’t use the clipboard).

Where the critical point lies, and this is what spurred us onto writing this post in the first place, is the “open pack” between those two points – this goes beyond keyloggers. It would require a different (more specific) type of attack. That was the intent of the post.

Thanks for taking part, it’s good to see people taking online security seriously – any other tips/tools/resources you’d like to share?

@Lao Tzu
Thanks for the thanks. Glad you found it useful.

When using a public computer, the user has a temporal trust relationship with it. It means, the user is willing to trust the public computer for the duration of this particular session, but no more. This means that there should be no secrets divulged to the public computer that remain valid for longer than the session. Example: passwords.

Under these assumptions, the only way to provide an acceptable level of protection against password theft is by not divulging the password to the public computer at all. No amount of “checking” what appears to be going on on the public computer removes this requirement.

While passpack’s disposable logins seem to achieve this for the pass and packing key (personally, I doubt even this because the packing key must be reconstructed at the client side anyway), it is clear that they do not achieve this for the user’s website-passwords.

You said “I could think of many other things one could check in order to avoid certain threats” – what else would you suggest?

Firstly, I think you should have mentioned that the passpack disposable logins do not protect any of the other passwords stored in the user’s account when using a public computer. This is because they are downloaded to the public computer after the user logs into his passpack account. Not explicitly mentioning this may mislead people to believe that the fact that “Passpack offers Disposable Logins as protection against keyloggers” also means that their website-passwords are protected, which is clearly not the case.

Secondly, I think that some of the advice given in this post is a bit poor. For example, “When you are using any public computer, your best bet is to check which add-ons/extensions or plug-ins have been installed.” – why is that our “best bet”? I can think of many other things one could check in order to avoid certain threats.

Or “Don’t fall victim to an unpopularized risk – check your browser!” – this again suggests that “checking the browser” will in some way provide an acceptable level of protection (against password theft?) while, in fact, it does not really mean all that much (e.g. hardware keyloggers could be present, or some other software spyware could “steal” whatever sensitive information there is). There is no need that the spyware is somehow classified as a “browser plugin/addon”…