Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will Roboform or Lastpass bypass keyloggers?

Leo, if one uses a password filler such as RoboForm and your computer gets
infected with a malware keylogger, can it pick up your passwords when you
aren’t actually typing them in? If not, this makes a very good case for having
an encrypted password filler such as RoboForm or the others you’ve mentioned in
past columns.

In this excerpt from
Answercast #100
I look at why it’s better to avoid malware all together
than worry about certain things the malware may do if you are infected .

Become a Patron of Ask Leo! and go ad-free!

Password tool bypassing keyloggers

So to answer your specific question, “Can a keylogger log what is pasted by
tools like RoboForm or LastPass?” The answer is no.

But before you go getting all excited, it’s incredibly important to realize
that if you’ve got a keylogger, you’ve got malware on your machine. Malware can
actually do anything!

When we say “keylogger,” we’re only talking about a specific kind of
malware. You could have other malware or you could have some other form of a
keylogger.

A Keylogger is malware

One of the things that I talk about constantly, in several articles on my
site, is ways of bypassing keyloggers.

Keylogger” is a very unfortunate term. I say that because we think of
keyloggers as logging only keystrokes. And that’s why I said – if you’ve got a
keylogger that’s logging only keystrokes and if you’re not making any
keystrokes – there’s nothing to log.

However, keyloggers that log only keystrokes are not the only kind
of malware out there. They’re not the only kind of keylogger that’s out
there.

A “keylogger” could very easily monitor and watch what’s being pasted in by
applications. It could monitor the funnel that RoboForm and LastPass use to put
passwords into forms. Keyloggers can monitor a lot more than just keys. They
can monitor mouse movement. They can take a screen shot to show where the mouse
was clicked. They can do all sorts of things, for example, that would defeat
onscreen keyboards.

Intercepting what’s going on between RoboForm and LastPass and your browser
and the places that those passwords are getting put is not that difficult for a
more powerful keylogger.

In other words, it’s not that hard for “malware.” Cause that’s all a
keylogger is; it’s just a form of malware.

Prevent malware on your computer

So let’s stop thinking about it as keyloggers and start thinking about it as
malware. Malware can do anything – and, yes, absolutely… malware can
capture what’s happening between RoboForm and LastPass and your browser.

That’s not an argument against using RoboForm or LastPass. We’ll talk about
that in a second. What it’s a very strong argument for is – don’t get
malware in the first place!

Don’t worry so much about keyloggers and worry more about malware in
general. Don’t let your machine get infected because whatever you get infected
with (like I keep saying) it could do just about anything that it wants to!

So focus your energies on actually doing all the different things that it
takes to stay malware free and less about trying to avoid specific types of
malware like keyloggers that happen to log only keystrokes.

Password tools for security

Now, RoboForm and LastPass still have a very, very important role. The
reason I so strongly recommend people use RoboForm and LastPass is so that they
are using multiple, different, hard to remember, secure, passwords on multiple
sites.

Most people, if they’re not using a tool like this do a number of things
that compromise the security of passwords:

  • They use short passwords.

  • They use passwords that they can remember.

  • They write them on sticky notes.

  • They use the same password everywhere.

You get the idea. They do a lot of different things that basically reduces
their overall security.

Increase your overall security

By using a tool like RoboForm or LastPass, you are then allowing yourself
to:

  • Use complex passwords.

  • Use a different password for every site.

  • Use passwords that you may never remember – but you don’t have to because
    RoboForm and LastPass are remembering it for you.

That’s the value that they add. Hiding from malware, hiding from keyloggers
is not the point of these tools. Allowing you to use and choose more secure
passwords and use them more securely across all of your different logins –
that’s why you want to use a tool like LastPass or RoboForm.

(Transcript lightly edited for readability.)

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

4 comments on “Will Roboform or Lastpass bypass keyloggers?”

  1. Thanks Leo. I’ve been using RoboForm for years and have wondered about this myself. I guess we can’t protect ourselves against everything, but I definitley feel more secure using RoboForm.

    Reply
  2. I’ve been using LastPass for about a year or so; I haven’t had any problems. However, highly technical/proprietary information aside, I wish I knew a little more about how it does its job.

    The reason for my concern? I’m using LastPass ONLY because it’s highly recommended … not just by Leo, by the way, but also by many other credible mainstream sources. However, without knowing a little more about the way it works, I remain feeling a little unsettled, frankly. I’m just one of those folks who tries to understand, thus helping me to make better use of a product as well as understanding its limitations and vulnerabilities, if any.

    Actually a couple of years ago Steve Gibson dove into Lastpass in some detail. He dedicated an entire episode of the “Security Now” podcast to it: Episode 256 recorded July 9, 2010: LastPass Security. I know Lastpass gets mentioned at other times on the show, but that particular episode is what convinced me.

    Leo
    03-Apr-2013

    Reply
  3. I agree the main concern and point is to avoid keeping malware off one’s computer in the first place if possible; however, when you try out freeware like I do even downloaded from reputable download sites, even testing it with VirusTotal and Jotti if it falls within their size limitations, mistakes do happen. So I do use Last Pass now and just started yesterday using a program from Alpin Software called Neo’s SafeKeys v3 which compliments or rather addresses the “shortcomings” Leo so keenly addressed that password managers don’t address concerning malware, i.e. mouse movements and screen captures by malware. This little package looks like a nice little addition to address those concerns and it’s free too. You can install either the portable version or the installer self install version and I would personally do the portable version and create your own shortcut. Ran both through VirusTotal and the portable (current version) came up clean and the self installer version when checked out by VirusTotal’s antivirus’s 46 scanners had just one hit, most likely a false positive from TrendMicro-HouseCall for TROJ_GEN.F47V0723. By the way, I have the installer file on my computer and ran the commercial online version of HouseCall yesterday and it was scanned with the rest of my system with no problems detected, i.e. no hits like VirusTotal reported. BitDefender Free Antivirus and Malwarebytes found no problem either. The downloadable Microsoft antivirus scanner found no problem on the file either and that is why I say it most likely is a false positive. But to be completely safe, just download the portable version if the free program meets a need, run it yourself through VirusTotal, unzip it, and put it in your program files folder, create a shortcut to the .exe file, and give it a try. You can enter passwords using this little keyboard that can be transparent, so they claim, to malware screen captures and mouse movements. Leo if you see this I would love your expert opinion on this software (Alpin did not come up in a search on your site), and if there is something better out there, particularly free like this one, I’d love to read the review and check it out too. 🙂

    Reply
  4. Thanks Leo. The problem with most of us that definitely includes myself, is we unconciously believe every facility/security to be perfect. Only after reading the articles like yours, I’ve started recognizing the inherent limitations & vulnerabilties (as nicely put by Tony) in any arrangement/system.

    I’m grateful to all of you (Leo and his commentors) for that.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.