|dc.description.abstract||Keystroke logging is one of the most widespread threats used for password theft in the world. In this paper, rather than detecting existing malwares or creating a trusted tunnel in the kernel, we present both QTE and Broker methods to safely input passwords in web browsers according to different scenarios. To fit real circumstances, we assume users have limited privileges on the untrusted public computers and they don’t want their passwords being eavesdropped; therefore, a user-space solution is proposed firstly as QTE method.
The QTE method utilizes a canvas to cue users whether their input will be remembered or ignored by our add-on, which provides a chance for users to obfuscate keyloggers by tapping keyboards haphazardly. Despite QTE method is immune to most kernel, hypervisor, hardware, and second-channel keyloggers, it may be ineffective if screen recording is taken by attackers. To eliminate password leakage, the Broker method uses a second device and a Broker server to safely transfer information for users. In contract with previous works, our design successfully separates username and password so that even the second devices and the Broker servers are compromised, users won’t lose their private data to attackers. Furthermore, both methods we proposed can be applied to all websites without their support or users’ settings beforehand.