This is an interesting question!

The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.

We can (to a somewhat limited extent) get around this though! 2 factor authentication (such as Google's 2 Step Verification) can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a seperate device (owned and controlled by you).

Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).

This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're entering missile launch codes however, you may want to stick to devices you control.

Edit: Additionally, consider the following, via user TemporalWolf

Some websites allow for the generation of single use one time passwords which side steps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.

In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).

This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.

Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.

Use SQRL

If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.

SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.

If you encounter this situation regularly, try the following:

1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.




2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.

Edit:

As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.

Potential weaknesses of this method:

This method is vulnerable to the following:

• Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.


• Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.

There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.

It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...

1. Open text editor of choice.


2. Type out the full alphabet in both upper and lower case.


3. type out the full range of numbers and symbols that are available.


4. Copy and paste letter by letter to enter your password on the web form.


5. As an added layer of obfuscation, don't grab the letters in the same order as the final password

I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.

Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.

The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.

If you have probable cause or general paranoia then do not perform unsafe actions.

Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.

What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.

If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.

There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.

Mitigation of Hardware based vulnerabilities

• Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.


• Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.


• Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.


• Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.


• Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.

Software methods of decreasing the risk

• Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.


• Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.

The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.

In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.

Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.

Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.

When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.

That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.