How to safely use password-protected websites on internet cafe computers

If the security is password only, the answer is that you can't: if they're logging your keystrokes, your password will be compromised, period.

However, the best two-factor authentication system while on the road is not SMS, but app-based authentication like Google Authenticator. All you need is your mobile phone for generating the codes, and it doesn't even have to be on the network/wifi.

Of course, the best option is to bring your own laptop, so all you need to worry about is compromised wifi.

The correct behaviour is NOT to trust the computer.

When I log in at one, if I can't insert a USB stick with my own copy of Firefox on it for browsing, I'll load theirs up, but will make sure it's updated first to the latest version, for security (or whatever other browser they might use).

I'll then check the running tasks on the machine and see if anything looks suspect. This is harder for someone non-technical to do as you may not know which processes are part of Windows etc, but it's a step.

For your actual password, if you're worried about keylogging, you could always just type a letter, then in an open notepad type a bunch of garbage, then the next letter, and repeat. Unless their keylogger is sophisticated enough to be application specific, of course.

At that point, you'll want to consider two factor authentication. Get either an SMS or in-app message with a code that you type in (Gmail and more can be set up for this), or a QR code that your phone scans on the screen (Whatsapp web does this).

If you're getting really fancy you could stick an operating system on a USB stick, prebuilt with the browser of your choice etc and then boot the machine to that, but it depends on you being able to get into the BIOS, or what other admin restrictions they've placed on the computer (or if you can even reach the USB port).

Afterwards, clear the cache, cookies etc of the browser, and I tend to reboot the computer when I leave as well, as some internet cafes are set to reinstall everything from scratch on reboot, wiping any trace of me having been there (I once worked in an internet cafe where we did this).

How can I, if possible, safely use password-protected websites (eg GMail) on internet cafe computers?

You cannot, at least without using two factor authentication (or some other kind of token that is independent of the local machine). You should consider anything typed or viewed on a public machine to be public information.

Unless you have exercised total supervision over the machine and the software on it since it was built, you cannot trust the machine not to intercept your password and all other keystrokes. Without a second authentication factor, this will be sufficient to access all your details, either in real time or later.

This interception could happen at the software level (which you can in most cases defeat by carrying a USB stick containing your own operating system) or at the hardware level.

Everyone is saying two factor authentication. They are mostly wrong, in that two factor is in most cases a password and something else, and this will definitely risk compromising the password and may compromise the something else. Two factor may be useful, but the best solution is single use credentials. If you have a trusted device like a cellphone that you can use to change your password you can change the password, use the untrusted computer and then change your password back. This presents a limited window where the password is vulnerable, but it may be too long. One time passwords are a better solution to this use case. There are several implementations of one time passwords varying from books to TOTP (google authenticator). The one challenge is that all of these require server side support which is spotty at best. For the moment the best practice advice to users is don't.

An alternative to 2FA is to use a USB Armory device. This plugs into your USB port and runs an independent OS. You can interact with the device in any way you could wish to, such as using it as a web server, an ssh client or a VNC/RDP server so that the device itself invokes the secure session with the target server. The keys/passwords could remain on the device and not be made accessible to the host computer.

Use two factor authentication. This is when, in addition to a password you put in a sequence of characters that you are sent (either by SMS or otherwise). This is how I set it up without because on roaming SMS doesn't always work.

1. Install Google Authenticator for Android or IOS store
2. Follow the instructions here to set it up.
3. Set up your google account to use two step authentication using your Authenticator app. The instructions are here

Now each time you need to log in, when prompted, just open the Authenticator and put in the key. Don't worry, the key changes every 15 seconds so even if someone tried to log in with the keys they recorded, it wont work. And you can later check access by clicking access history at the very bottom right of your Gmail page.

You can check out more on Authenticator on Wikipedia, just type in Google Authenticator.

Googe Mail and Fastmail.fm both support U2F so you can use those via that key if the place you are allows plugging in random USB devices. I am not sure what other websites support it. If you have your own control, you could instead get a Yubikey Neo and implement Yubikey auth for your site. It's alas rare.

If you use two alternating passwords this provides a bit of protection when you have only one session at each internet cafe: In the first internet cafe you log in with password 1 and at the end of the session you change the password to password 2. In the second internet cafe you do the login with password 2, and at the end of the session you change the password back to password 1. If the attacker only analyzes the first password you entered (the one you used for the login), then he can't use this password for a login because it was changed by you at the end of the session.

This approach won't help if the attacker analyses the full protocol written by the keylogger, but maybe he isn't so patient or doesn't get the idea that you simply changed the password at the end of the session.

As others have mentioned, there are very few safety rules you can enforce on a machine you don't control.

The best solution would be to carry your own laptop, tablet, smartphone and simply borrow the Internet connection.

Once you get a hold of the Internet connection, use a VPN provider to secure your connection. There are many ways, to do this from using a browser that has one built-in, or a VPN client on your mobile. You can get free lifetime subscriptions at some VPN providers for a nominal amount.

The VPN provides a level of privacy over the (public) Internet connection.

Next, you can follow the normal security steps such as enabling two factor authentication on your account.

Related musings of possible value. Or not.
'cafe' = internet cafe or equivalent.

Comodo sell a product that allows https encrypted connection to their site and then connection to where-ever. That addresses most in-PC and beyond exploits - Note however jpatokal's comment on keyloggers. (My only relationship with Comodo is as a sometime paying and sometimes free-product-using user.)

I've seen internet cafe's where NO access to the machine proper was available - you got cables through a physical wall. (That may have been Dublin or Prague (or both)).

It's common enough to not allow cafe users access to USB or DVD/CD

I've used "Team Viewer" remote access software from China to a home computer system in NZ. That's probably worse as it has the potential to give them access to my NZ system - but it does give the ability to implement a challenge and resonse system where the "2nd factor" could be a mentally simple but "inobvious enough" system. Couple that with Comodos system and you'd be making it very hard to make sense of keylogger data. ... You can eg move a mouse pointer over a remote screen and if you are keen enough do something like that blind with a remote screen disabled while you do it but the mouse still live.

In my case I could also communicate with my wife over the link - adding some 3rd party who achieves "personal factor authentication" from a distant country is liable to be reasonably effective.

I've only had my access compromised once AFAIK when "abroad". A public WiFi session at Hong Kong airport resulted in (AFAIK) me being locked out of GMail from China only a few hours later (before the Chinese barred GMail) but the account recovery system got me back in.

________________________________________

Fun only: I've sat in a Shenzhen cafe next to a largish team of Chinese guys intently playing the same game. Not my territory but my son wondered from the screens visible in photos I took if these were some of the fabled China based miners who make real $ by obtaining and selling in game product for that specific game. Unknown and unknowable - but a fun thought.

See :-) -

Top - part of the Shenzhen team. Bottom - internet related 'meme'.

You should understand how unsafe an unsafe computer really is.

Assume they:

• Are recording every keystroke you make.
• Are trying passwords you enter - protected by two-factor or not - into other websites as you may of course recycle passwords.
• Record everything that appears on screen, including anything open in your email, or on your Facebook, or so forth.
• Know your contacts, and can probably steal your identity.

Now, are public computers that scrape passwords to common websites, but stop short of anything else they could do, common enough? I have no idea. But it is very odd to me to trust a computer to use it as long as you can protect your password from it.

To protect your password on a public computer (or any device for that matter), use a password manager such as Password Maker that generates a unique password for you, per website.

You use a master password (which is not actually used for any website) and a whole bunch of other information to generate a password for a particular website you want to access. You then copy + paste the password to log-in thus never typing your password and so it can not be captured by a key logger.

Combine this with the other suggestions on this Q&A (use a VPN, 2 Factor Auth, don't use a public computer but rather use your own device etc)

I was going to stay out of this one, but seeing all these answers suggesting two-factor auth and a bunch of naive anti-keylogger tricks will somehow make things right is just incredible.

Sink it in: the only secure way of using secured websites on a compromised computer is not using them. From the moment you made a remote server (GMail, your bank, etc.) trust the computer you're using, they will trust whatever whatever that computer is sending to them, and you have little control over that.

Some banking sites are aware of this problem and require you to authenticate every single action you're trying to perform, to make sure all actions come from the actual user. Many others don't. GMail certainly does not. Once you're logged in, it will happily give away your mail archive to the hackers while you're reading that new e-mail you've received.

If this sound surprising, open GMail in two tabs, and imagine you're using one while hackers control the other, without you seeing it. That should give you a good idea of what's happening on a compromised computer.

You can, use VPN and 2FA together with a Windows-To-Go x86 (32-bit) USB drive. This way you won't need to actually carry a huge list of passwords or security codes OR you could just use a Linux persistent storage drive (with VPN of course)

VPN
Official WTG
Unofficial WTG can also be used

One important trick that nobody discussed here!

Key loggers record your keystrokes in sequence.. period!

You can make them fool by typing your first letter of the password, then a few last letters, then place your cursor at the exact middle place where you left off, and write remaining characters.

you can randomize it even further by keep switching cursor position. Remember don't use keyboard arrow keys to switch cursor, use mouse ;)

This trick will fool any keylogger even the one that is application specific.

Off course this is only for key loggers, public computers can have a lot of other issues too.