If the internet café is running a keylogger then it will capture your password as you type it in, secure site or not. You have to assume that anything you do in an internet café is going to be public knowledge.

One solution if you don't want to take a laptop with you is to get a Linux Live CD such as Knoppix or the Ubuntu live CD. Assuming the internet café owner allows you to run it, you reboot the machine into a complete OS owned by you, so the keyloggers are inactive and anything listening on the network can't break the SSL encryption.

Encyclo, you are a genius! I have just such a thing. Woo hoo!

Thanks very much!

My experience with Internet cafes doesn't lead me to believe that they will let you do anything out of the ordinary such as loading Linux.

This might not help you, but I travel with my laptop. When I want to connect, I get my wife to drive around town slowly while I look for an open WiFi signal. When my laptop finds one, I yell "stop!".

(Important: Use SSL for your mail server connections so the password isn't sent in plain text.)

Well, it's an option I hadn't thought of. I'll have access to a friends teenage son's PC while over there, but _that's_ likely to be loaded with 'parasites', so a LiveCD is a helpful option. Didn't want to hog that lad's machine, so ...

A damn shame these cafes render themselves useless even for accessing Hotmail and the like. I read some chap (here?) got various accounts hacked using one.

Would it be an option to download and run various softwares like SpyBot and AdAware during a session?

One other option that you alluded to in your first post:

I'm going on holiday

So enjoy your holiday and just don't look at all. It is possible! ;)

If you're unable to resist the urge, using a live CD is still far better than trying to clean the machine before logging on - you will spend hours cleaning up and you still can't be sure you have found everything.

There are hardware keyloggers (search Google for "hardware keyloggers") which means using your own CD to boot is not a good solution.

It's best to have your own hardware (a laptop or PDA), and use encryption at all times (i.e. SSL or a VPN).

Take a wi-fi laptop with you ..go to any university area / grounds / car park and there is almost certainly access to their network ..

or do like encyclo says and forget the net ..;)

_ I *must* have my internet fix!

- The wi-fi suggestion is good, but I really don't want to be lugging a laptop around. Perhaps next time.

- I never knew there were hardware keyloggers. How awful!

Very useful advice. I'll work something out. Thanks to all.

I had a couple of ideas:

1. Keep your passwords in a password-protected zip file in plain text. Copy and paste them into web forms as required (or can these programs read the clipboard as well?).

or ...

2. Use a virtual keyboard like this [lakefolks.org...]

Would that be safe?

Use OPIE and then not care if the password is logged?
[chacs.nrl.navy.mil...]
OPIE or S/Key is usually available on modern Linux / BSD systems.

Ummm, that's a bit more technical than I can cope with. I was hoping for some way of using internet cafes, which run Windows, usually.

> can these programs read the clipboard as well?

I certainly can't say if it's true with all scumware (and I doubt it is), but yes, some can capture the contents of the clipboard. This method of "security" is generally frowned upon, now.

If cPanel is your only way of accessing your site, and you have no programming skills, then this idea is of no use to you, but...

What I've done, for when I'm on the road, is written a small Perl program for uploading files - these sorts of scripts are available at any webmaster software repository - that is password protected. Nothing new there...

What is "new" about it, is that the password is pseudo-generated on the fly. What I mean by that is that the password regularly changes, based on some external factor.

For example, as I write this, it's 18 January and about 7:00 UTC. Using the date & time, you could make this password: 18aG. "18" from the day number, "a" from the month ("b" for February, etc.), and "G" from the hour ("G" being the seventh letter). I now have a password that's valid for only one hour out of every 8760 (a year).

Say it's the third day of your vacation and your "base" password is "password". The generated password could be "3passwordC". Tomorrow, it's "4passwordD". Using your imagination, you can devise your own "rules" for what the generated password should be.

Do I worry about keyloggers on cafe computers? Nope, not when my passwords are valid for only a one-time, 3 minute period! Shoot, I'll tell you what my password is! (But only one, lest you deduce my "rules.")

Food for thought & inspiration...

Instead of lugging a laptop, why not a wi-fi enabled PDA? That is if you mainly want to check mail and look at sites more than doing heavy typing.
Another thought: set up a throwaway email account, or several, before leaving. Set your mail to forward to the temp account and use that during the trip. If you need to change accounts/passwords mid-trip, wait till you have a somewhat secure connection.

I wouldn't even risk wi-fi.

The safest solution is to take your laptop and use hardwired internet connection.

Why not wi-fi? Because there are too many horror stories of other laptops sniffing around. OK, they won't be able to capture your ssh stuff there and then but it only takes a few days to crack open the sniffed packets.

The rumours are that in some hotels / airports cars are parked with laptops listening 24/7 and then the hac kers crunch the data captured looking for key things.

I don't know how seriously these kind of rumours should be taken but it's enough for me to never use wifi at all.

Nearly all decent hotels are wired up for HSIA LAN connection. Take your laptop and a CAT 5 cable with you if you are staying in them. If you are staying at your friends house then use his internet connection.

Oh, and one other thing if you do take the laptop. Don't have your username and passwords saved on your laptop. Turn off form saving and clear all cookies etc.

And don't forget to never ssh as root. Always ssh as a low level user and then su to root when you are connected.