Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Will Using an On-Screen Keyboard Stop Keyloggers?

//
Will using the on-screen keyboard in Windows stop keyloggers?

The short answer is very simple: no.

I get a surprising amount of push-back on this, but the simple truth remains: while it might stop some, it’s nothing you can count on to be 100% effective.

Keyloggers are a form of malware that record your keystrokes so as to capture things like your login usernames and passwords so that hackers can then get into your accounts. Let’s look at the path of keystrokes from your finger to your computer to see the various ways your keystrokes can be intercepted and logged.

Become a Patron of Ask Leo! and go ad-free!

The keyboard connection

Typically, when you type a key on your keyboard, a microprocessor within it sends signals via the cable connecting your keyboard to your computer.

Here we encounter the very first point of vulnerability. No, not the microprocessor in the keyboard (technically possible, but exceptionally unlikely) – but the cable, or rather, what the cable plugs into.

Particularly lucrative targets are public computers, where someone comes along and actually installs a physical device between the computer and keyboard – a device that intercepts and logs every keystroke entered. Sometime later they come back, remove the device, and take with it all the information users of that computer entered.

As it turns out, wireless keyboards can be worse. Wireless keyboards actually broadcast the keystrokes you’re typing. Any receiver within range can “listen in”. Wireless keyboards do encrypt their data, so in theory, the information should be safe, but the quality of the encryption can vary, based on the age of the keyboard and the vendor. In addition, the concept of  “in range” turns out to be much further than most people think, particularly for a thief with equipment dedicated and tuned to this purpose.

The good news is that your on-screen keyboard actually does protect you against these two specific types of keyboard-related threats. By using the on-screen keyboard, you’re bypassing those components of the keyboard hardware that could be compromised.

The bad news is that hardware-based keyloggers are rare. Much more common are software-based threats.

The keyboard software

Once your keystrokes arrive at the computer from the keyboard, they are processed by a keyboard device driver which (to oversimplify) handles the translation of the keyboard “scan codes”, as they’re called, to the letters, numbers, and symbols Windows applications expect.

Keyloggers typically insert themselves into the receiving end of this process; they get the keystrokes from the keyboard as they are passed on to Windows.

This is where the on-screen keyboard scenario gets interesting.

On-Screen Keyboard

The on-screen keyboard application is a “virtual” keyboard. It has its own device driver, which, to Windows, “looks like” a real keyboard.

As a result, the keystrokes it sends to Windows can quite easily be captured by the same key-logging software capturing keystrokes from the real keyboard, if that key logger has installed itself in the proper place.

But it gets worse. Much worse, actually.

A keylogger is just malware

Perhaps the most important concept to remember here is that keyloggers are just another form of malware.

And malware can do anything; keylogging malware can actually capture much more than just keystrokes.

You use the virtual keyboard by using your mouse to point and carefully click at the image of a key on the keyboard. A keylogger could, then, for every mouse click:

  • Capture the location of the mouse on the screen.
  • Capture a screenshot image of the screen, or just the area “around” the mouse pointer.

The keylogger has captured a series of images showing exactly where you clicked and in what order. In other words, it’s captured your virtual keystrokes.

Note that this approach to keylogging also bypasses one of the more common so-called security techniques of randomizing the keyboard layout on the screen. You still have to be able to see where to click, and the logger simply logs what you see and where you click, regardless of how the keyboard is laid out.

Keyloggers as threats

How big a threat is all this?

It depends on whom you ask. In my opinion, “normal” keyloggers – those that record only keystrokes – are a fairly common threat, and are one reason why anti-malware protection, general internet safety, and the use of common sense in general is so important. So yes, they’re out there.

The real question is, how pervasive are these more sophisticated keyloggers, which do more than capture keyboard keystrokes, but use other techniques to effectively achieve the same result?

It’s hard to say, but I have to say it again: keyloggers are “just” malware. If they’re on your machine at all, you have a problem, and that problem may not be limited to logging what you type. Like any malware, you might not even realize they’re there until it’s too late. As a result, focusing on solutions targeted only at thwarting keyloggers is not only fundamentally misguided, it diverts your attention from a much bigger problem: if you have a keylogger, you have malware.

Focus on avoiding, or removing, malware of all sorts, and you’ll be avoiding or removing keyloggers as a side effect.

And I would never rely on a virtual keyboard of any sort as some kind of security measure.

Podcast audio

Play

41 comments on “Will Using an On-Screen Keyboard Stop Keyloggers?”

  1. There is a much better option than using the onscreen keyboard. To defeat keyloggers, i used to carry my login ids and passwords in my usb pen drive and copy and PASTE them into place, NOT TYPE them. This will defeat hardware key loggers. Passwords are entered as ****** in most cases which will defeat image capturing keyloggers.

    Unless, of course, the keylogger is also watching the clipboard for anything you might copy/paste. VERY easy for a keylogger to do.

    – Leo
    16-Jan-2009
    • The worst practice I’ve ever heard . Carrying credentials on pen drive ? What if you lose the pen drive ? Which is very possible.

      I can prepare a script that will silently copy all files on your pen drive

  2. Once again i can offer what i use to defeat
    keylogging.
    A program called KeyScrambler.
    It’s a great program.
    Works in firefox and IE browsers.

    And once again I’ll express my extreme skepticism at any software that you have to install as being able to defeat a sufficiently sophisticated keylogger. IMO: it can’t be done, and these utilities are a waste of time.

    – Leo
    16-Jan-2009
  3. i guess it is the responsibility of websites to establish a security layer. they should ask for partial passwords and not full password. For example, a user has 8 character password. The website should display lesser than 8 boxes and ask the user to, say, enter 1st, 4th, 6th and 7th character of password. every time user tries a login, these places should be randomized so that every time, the website ask for different characters of password of the same user.
    This can reduce password thefts to a significant extent, but not 100%.

  4. On-screen keyboard doesn’t defeat keyloggers, i use a keylogger on my own computer. so i can tell when people have been using it while i’m gone. It records everything the on-screen does

  5. I am by no means an expert in these matters, however I have to agree that keyscrambler is an effective tool against keyloggers. I added the plugin to Firefox and downloaded trial versions of 2 commercial keyloggers that work invisibly at the kernel level.

    When I input data into any website, the keyloggers recorded either nothing or gibberish.

    Perhaps you don’t want the keyloggers named on your site, but I would be happy to provide the names on request.

  6. One method that DOES defeat keyloggers (correct me if I’m wrong) is moving the cursor mid-password by clicking it in a different location or even outside the password field.

    For instance, if your password is “12534,” first type “1234,” click the mouse after the second character, and type in “5.” The keylogger will record “12345” but the browser will send your correct password to the server. To further thwart the attacker, after typing “5” click the mouse anywhere outside the field and type “67”; then, click the mouse in the password field again and hit Enter. The keylogger will record “1234567,” which is nowhere near the real “12534” password.

    It should go without saying but, for this to work, you HAVE to use the mouse and not the arrow keys on the keyboard!

    This will not defeat keyloggers. Keyloggers often log much more than keystrokes, and include mouse movements, clicks and even screen shots.

    Leo
    05-Nov-2010

    • steiner’s cud be best idea here. Leo, idea that it’s much harder to deduce mouse mvmt recording to get steiner’s 12534 example scenario password. for screenshots the level of difficulty is very high for the malware to get the needed shots at the exact right times

  7. Michael Steiner, my WoW account got hacked by a keylogger a while back I believe. I ended up getting the account back before any harm was done, but ever since then I’ve done what you have done to an extreme. I would purposely write out part of my long password out, go back and forth using that method you said. I haven’t had a problem since, but one cant be too sure. I just read that there is also screen loggers.. just not as many.

    example of a password im talking about my password style would be to take the name of three things, mesh them together, and add some numbers then do what you said: lets use the words heavy, Practice and Brisk, as well as 2 or 3 numbers. Combined i would probably do it like.. RactIEavYBriS951 but the way i would enter it would be like, IEavRaBrctiS159 going back and forth with mouse clicks making sure to get the password just right. ^^ and i dont get hacked anymore. And if you think that password is hard to remember, my long ass email password is longer i believe.

  8. Well, your theory of ‘mouse key(?) stroke logger’ sounds scary, but there is no known software to do that correctly. Mouse’s motion is far more complicated than key board.

    It’s easier than you think. You don’t need to record the mouse movement, only the position it is at when clicked, and a screen capture at the same time. All very, very easy.

    Leo
    04-Oct-2012
  9. Hi Leo i have a lot of security issues with my windows 7 computer. I use firefox browser, some time back when i logged back on my computer, the firefox showed history that i have visited a bank website. I remeber very well that i did not visit any bank and when i clicked on the link it said wrong password. Can keyloggers access you computer when you have logged off?

    Malware can do that, yes. Keyloggers are nothing more than a form of malware.

    Leo
    23-Nov-2012
  10. How about when I use software like Sandbox? Will it protect me?

    There are no guarantees, no. It may protect you from some things, so it increases your security, but depending on how keyloggers and malware in general are written they may still be at work.

    Leo
    30-Jan-2013
  11. What does anyone recommend to find/combat/delete keyloggers? The only one I have heard of is Zemana. Is that any good? Does it just make me FEEL like I am protected?

    • There is nothing NOTHING that is 100% successful at stopping keyloggers. This is important: software keyloggers are just another form of malware. Do everything you normally do to prevent malware, and you’ll be preventing keyloggers.

  12. About the OSK: If I were to move the OSK around the screen between clicks, this would seem somewhat of a deterrent to malware determining keystroke by click location.

  13. Absolutely nothing is foolproof. One must always be careful when it comes to passwords, etc. I would never encourage anyone to keep passwords on the computer…never! Keep your computer scanned, using a very reputable Internet Security Program..Also there are great anti-malware programs to buy as well. Whenever you feel your computer or account may be compromised, I’d strongly suggest you call the involved financial institution or whatever to have them reset your password. Have your technician clean your computer as well.

  14. very good article leo, really appreciate it, keep up the good work. i hope i am still on the topic with my question. i would like to know something from an expert in this area like you. can i get my computer infected with such advanced keyloggers just by clicking on somebodys link without downloading and installing any files on my computer? or maybe even just by opening an email and without clicking on any links? how about just connecting an external disk (for example a memory card) to my computer? are all these things i’ve mentioned above really all that risky?

    • The answer is yes and no. It really depends on if you are being targeted or not. In other words, every single email, and every single thumbdrive, is not going to be full of malware. But some of them could be. I would like to point you at the following article which Leo just published: https://askleo.com/vulnerable-points-path-privacy/

      Always remember that when you are talking about a “Keylogger” that you are really simply talking about malware. In some instances you could also be talking about a hardware compromise. But in the long run, everything that you do to protect yourself from malware is also protecting you from Keyloggers.

  15. leo, buddy … the only way you will convince most earlier netizen respondents is for you to record a video and show (for each method) how a typical keylogger will successfully circumvent microsoft’s security features. btw, leo … thanks for sharing the knowledge ‘n expertise on the matter. you have, veritably, opened many others’ eyes.

  16. so clipboard can be watched do keyloggers also work if you have work from a vitual machine in combination with flash LIVE USB+Tails+VPN. can keyloggers even then log your paswords and such???

    if the answer is yes then people should buy software to protect themselves

    • This is a common misunderstanding about keyloggers. Think of it this way: a keylogger is a thief. Just like a thief who comes into your own home. You would never leave your door unlocked so that any thief can come in, and then work diligently to find clever ways to hide valuables inside. No. You would keep the door locked, and then live your life. So the whole strategy should be to keep keyloggers out of your computer… not what to do once they hack in. If you want to buy software to protect yourself spend that money on good malware protection.

    • A virtual machine wouldn’t stop all keyloggers. The keystrokes can be monitored at a lower level before the keystrokes get sent to the virtual machine. A virtual machine is simply a program which runs on your OS to install and run another OS. It doesn’t bypass your OS. It piggybacks on it. Running a live OS from a flash drive or optical disc would circumvent a software keylogger as it simply wouldn’t load, but it is still vulnerable to a hardware keylogger. The best protection against software keyloggers is the same as prevention of any kind of malware. The protection against hardware (and some software) keyloggers is to not allow anyone you don’t trust 100% to get their hands physically on your machine.
      https://askleo.com/internet_safety_7_steps_to_keeping_your_computer_safe_on_the_internet/

  17. I think using sandbox type software do help, for example, the ‘Sandboxie’ is free.They claim any external keylogger attempt will register an error message.Although I have not tested may be someone can put a light on it.

  18. Okay, so how do you get a keyloggger off your computer if you think you have one and what is the best program to do that?

  19. LastPass (from Logmein) in the best way to go, for convenience and remembering passwords.

    In 99% of cases, it is able to autofill your ID and password onto the screen

    I used to use Norton IDentity safe for a few years but it kept breaking after they removed their separate FREE version and incl it only with their products, or you free comcast or centurylink version, just had many issues with my customers ( I am a computer specialist that helps retire folks in Florida with their computer issues)

    I have been using last pass for well over a year and no issues…

    Pertinent to this conversation thread…..
    CAN ANY TECH COMMENT ON WHETHER OR NOT A PRODUCT LIKE LASTPASS OR ID SAFE OR WEBROOT that autofills passwords can have their autofilled passwords grabbedby a keylogger etc…

    • If you have a keylogger — or any form of malware — on your machine the passwords pasted in by pass vaults — all of them — can be captured. Malware can do anything.

  20. Also why not make use of firewalls that would monitor outgoing traffic (logged keystrokes sent to hacker) and block them?..
    [This is according to Keylogging software not hardware keyloggers..]

    • We should rely on not getting infected with malware — be it keyloggers or anything else — in the first place. Once you’re infected ALL bets are off.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.