Leo, if one uses a password filler such as RoboForm and your computer gets
infected with a malware keylogger, can it pick up your passwords when you
aren’t actually typing them in? If not, this makes a very good case for having
an encrypted password filler such as RoboForm or the others you’ve mentioned in
Become a Patron of Ask Leo! and go ad-free!
Password tool bypassing keyloggers
So to answer your specific question, “Can a keylogger log what is pasted by
tools like RoboForm or LastPass?” The answer is no.
But before you go getting all excited, it’s incredibly important to realize
that if you’ve got a keylogger, you’ve got malware on your machine. Malware can
actually do anything!
When we say “keylogger,” we’re only talking about a specific kind of
malware. You could have other malware or you could have some other form of a
A Keylogger is malware
One of the things that I talk about constantly, in several articles on my
site, is ways of bypassing keyloggers.
“Keylogger” is a very unfortunate term. I say that because we think of
keyloggers as logging only keystrokes. And that’s why I said – if you’ve got a
keylogger that’s logging only keystrokes and if you’re not making any
keystrokes – there’s nothing to log.
However, keyloggers that log only keystrokes are not the only kind
of malware out there. They’re not the only kind of keylogger that’s out
A “keylogger” could very easily monitor and watch what’s being pasted in by
applications. It could monitor the funnel that RoboForm and LastPass use to put
passwords into forms. Keyloggers can monitor a lot more than just keys. They
can monitor mouse movement. They can take a screen shot to show where the mouse
was clicked. They can do all sorts of things, for example, that would defeat
Intercepting what’s going on between RoboForm and LastPass and your browser
and the places that those passwords are getting put is not that difficult for a
more powerful keylogger.
In other words, it’s not that hard for “malware.” Cause that’s all a
keylogger is; it’s just a form of malware.
Prevent malware on your computer
So let’s stop thinking about it as keyloggers and start thinking about it as
malware. Malware can do anything – and, yes, absolutely… malware can
capture what’s happening between RoboForm and LastPass and your browser.
That’s not an argument against using RoboForm or LastPass. We’ll talk about
that in a second. What it’s a very strong argument for is – don’t get
malware in the first place!
Don’t worry so much about keyloggers and worry more about malware in
general. Don’t let your machine get infected because whatever you get infected
with (like I keep saying) it could do just about anything that it wants to!
So focus your energies on actually doing all the different things that it
takes to stay malware free and less about trying to avoid specific types of
malware like keyloggers that happen to log only keystrokes.
Password tools for security
Now, RoboForm and LastPass still have a very, very important role. The
reason I so strongly recommend people use RoboForm and LastPass is so that they
are using multiple, different, hard to remember, secure, passwords on multiple
Most people, if they’re not using a tool like this do a number of things
that compromise the security of passwords:
They use short passwords.
They use passwords that they can remember.
They write them on sticky notes.
They use the same password everywhere.
You get the idea. They do a lot of different things that basically reduces
their overall security.
Increase your overall security
By using a tool like RoboForm or LastPass, you are then allowing yourself
Use complex passwords.
Use a different password for every site.
Use passwords that you may never remember – but you don’t have to because
RoboForm and LastPass are remembering it for you.
That’s the value that they add. Hiding from malware, hiding from keyloggers
is not the point of these tools. Allowing you to use and choose more secure
passwords and use them more securely across all of your different logins –
that’s why you want to use a tool like LastPass or RoboForm.
(Transcript lightly edited for readability.)