Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will Using an On-Screen Keyboard Stop Keyloggers?

Closeness doesn’t count

On-Screen Keyboard
Using an on-screen keyboard instead of a real keyboard might stop some keyloggers, but there's no guarantee that other techniques aren't also being used.
The Best of Ask Leo!
Will using the on-screen keyboard in Windows stop keyloggers?

The short answer is very simple: no.

I get a surprising amount of push-back on this, but the truth remains: while it might stop some, it’s nothing you can count on to be 100% effective.

Keyloggers are a form of malware that record your keystrokes to capture things like your login usernames and passwords so hackers can get into your accounts. Let’s look at the path of keystrokes from your finger to your computer to see the various ways your keystrokes can be intercepted and logged.

Become a Patron of Ask Leo! and go ad-free!


An on-screen keyboard can protect you from hardware-based keyloggers. It may even prevent some classes of keyloggers from intercepting your keystrokes. Unfortunately since an on-screen keyboard is indistinguishable from a real keyboard to the program into which you are typing, there remain keylogging techniques an on-screen keyboard will not protect you from. Remember, a keylogger is just one specific type of malware, and malware can do anything once it’s on your machine.

The keyboard connection

Typically, when you type a key, a microprocessor within the keyboard sends signals via the cable connecting it to your computer.

Here we encounter the first point of vulnerability. No, not the microprocessor in the keyboard (technically possible, but exceptionally unlikely) — but the cable, or rather, what the cable plugs into.

Particularly lucrative targets are public computers, where someone comes along and installs a physical device between the computer and keyboard: a device that intercepts and logs every keystroke entered. Sometime later they come back, remove the device, and take with it all the information users of that computer entered.

As it turns out, wireless keyboards can be worse. Wireless keyboards actually broadcast the keystrokes you’re typing. Any receiver within range can “listen in”. Wireless keyboards do encrypt their data, so in theory, the information should be safe, but the quality of the encryption can vary based on the age of the keyboard and the vendor. In addition, the concept of  “in range” turns out to be much further than most people think, particularly for a thief with equipment dedicated and tuned to this purpose.

The good news is that your on-screen keyboard does protect you against these two specific types of keyboard-related threats. By using an on-screen keyboard, you’re bypassing those components of the keyboard hardware that could be compromised.

The bad news is that hardware-based keyloggers are rare. Much more common are software-based threats.

The keyboard software

Once your keystrokes arrive at the computer from the keyboard, they are processed by a keyboard device driver which (to oversimplify) handles the translation of the keyboard “scan codes”, as they’re called, to the letters, numbers, and symbols Windows applications expect.

Keyloggers typically insert themselves into the receiving end of this process: they get the keystrokes from the keyboard as they are passed on to Windows.

This is where the on-screen keyboard scenario gets interesting.

The on-screen keyboard application is a “virtual” keyboard. It has its own device driver, which, to Windows, “looks like” a real keyboard.

As a result, the keystrokes it sends to Windows can quite easily be captured by the same key-logging software capturing keystrokes from the real keyboard, if that key logger has been installed in the proper place.

But it gets worse. Much worse, actually.

A keylogger is just malware

Perhaps the most important concept to remember here is that keyloggers are just another form of malware.

And malware can do anything; keyloggers can capture much more than just keystrokes.

You use the onscreen keyboard by using your mouse to point and click at the image of a key on the keyboard. A keylogger could, then, for every mouse click:

  • Capture the location of the mouse on the screen.
  • Capture a screenshot image of the screen, or just the area “around” the mouse pointer.

The keylogger has captured a series of images showing exactly where you clicked and in what order. In other words, it’s captured your virtual keystrokes.

Note that this approach to keylogging also bypasses one of the more common so-called security techniques of randomizing the keyboard layout on the screen. You still have to be able to see where to click, and the logger simply logs what you see and where you click, regardless of how the keyboard is laid out.

Keyloggers as threats

How big a threat is all this?

It depends on whom you ask. In my opinion, “normal” keyloggers — those that record only keystrokes — are a fairly common threat, and are one reason why anti-malware protection, general internet safety, and the use of common sense is so important. So yes, they’re out there.

The real question is, how pervasive are the more sophisticated keyloggers, which do more than capture keyboard keystrokes, but use other techniques to effectively achieve the same result?

It’s hard to say, but I have to say it again: keyloggers are “just” malware. If they’re on your machine at all, you have a problem, and that problem may not be limited to logging what you type. Like any malware, you might not even realize it’s there until it’s too late. As a result, focusing on solutions targeted only at thwarting keyloggers is not only fundamentally misguided; it diverts your attention from a much bigger problem. If you have a keylogger, you have malware.

Focus on avoiding or removing malware of all sorts, and you’ll be avoiding or removing keyloggers as a side effect.

And I would never rely on a virtual keyboard of any sort as a security measure.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


Video Narration

50 comments on “Will Using an On-Screen Keyboard Stop Keyloggers?”

  1. There is a much better option than using the onscreen keyboard. To defeat keyloggers, i used to carry my login ids and passwords in my usb pen drive and copy and PASTE them into place, NOT TYPE them. This will defeat hardware key loggers. Passwords are entered as ****** in most cases which will defeat image capturing keyloggers.

    Unless, of course, the keylogger is also watching the clipboard for anything you might copy/paste. VERY easy for a keylogger to do.

    – Leo
    • The worst practice I’ve ever heard . Carrying credentials on pen drive ? What if you lose the pen drive ? Which is very possible.

      I can prepare a script that will silently copy all files on your pen drive

  2. Once again i can offer what i use to defeat
    A program called KeyScrambler.
    It’s a great program.
    Works in firefox and IE browsers.

    And once again I’ll express my extreme skepticism at any software that you have to install as being able to defeat a sufficiently sophisticated keylogger. IMO: it can’t be done, and these utilities are a waste of time.

    – Leo
  3. i guess it is the responsibility of websites to establish a security layer. they should ask for partial passwords and not full password. For example, a user has 8 character password. The website should display lesser than 8 boxes and ask the user to, say, enter 1st, 4th, 6th and 7th character of password. every time user tries a login, these places should be randomized so that every time, the website ask for different characters of password of the same user.
    This can reduce password thefts to a significant extent, but not 100%.

  4. On-screen keyboard doesn’t defeat keyloggers, i use a keylogger on my own computer. so i can tell when people have been using it while i’m gone. It records everything the on-screen does

  5. I am by no means an expert in these matters, however I have to agree that keyscrambler is an effective tool against keyloggers. I added the plugin to Firefox and downloaded trial versions of 2 commercial keyloggers that work invisibly at the kernel level.

    When I input data into any website, the keyloggers recorded either nothing or gibberish.

    Perhaps you don’t want the keyloggers named on your site, but I would be happy to provide the names on request.

  6. One method that DOES defeat keyloggers (correct me if I’m wrong) is moving the cursor mid-password by clicking it in a different location or even outside the password field.

    For instance, if your password is “12534,” first type “1234,” click the mouse after the second character, and type in “5.” The keylogger will record “12345” but the browser will send your correct password to the server. To further thwart the attacker, after typing “5” click the mouse anywhere outside the field and type “67”; then, click the mouse in the password field again and hit Enter. The keylogger will record “1234567,” which is nowhere near the real “12534” password.

    It should go without saying but, for this to work, you HAVE to use the mouse and not the arrow keys on the keyboard!

    This will not defeat keyloggers. Keyloggers often log much more than keystrokes, and include mouse movements, clicks and even screen shots.


  7. Michael Steiner, my WoW account got hacked by a keylogger a while back I believe. I ended up getting the account back before any harm was done, but ever since then I’ve done what you have done to an extreme. I would purposely write out part of my long password out, go back and forth using that method you said. I haven’t had a problem since, but one cant be too sure. I just read that there is also screen loggers.. just not as many.

    example of a password im talking about my password style would be to take the name of three things, mesh them together, and add some numbers then do what you said: lets use the words heavy, Practice and Brisk, as well as 2 or 3 numbers. Combined i would probably do it like.. RactIEavYBriS951 but the way i would enter it would be like, IEavRaBrctiS159 going back and forth with mouse clicks making sure to get the password just right. ^^ and i dont get hacked anymore. And if you think that password is hard to remember, my long ass email password is longer i believe.

  8. Well, your theory of ‘mouse key(?) stroke logger’ sounds scary, but there is no known software to do that correctly. Mouse’s motion is far more complicated than key board.

    It’s easier than you think. You don’t need to record the mouse movement, only the position it is at when clicked, and a screen capture at the same time. All very, very easy.

  9. Hi Leo i have a lot of security issues with my windows 7 computer. I use firefox browser, some time back when i logged back on my computer, the firefox showed history that i have visited a bank website. I remeber very well that i did not visit any bank and when i clicked on the link it said wrong password. Can keyloggers access you computer when you have logged off?

    Malware can do that, yes. Keyloggers are nothing more than a form of malware.

  10. How about when I use software like Sandbox? Will it protect me?

    There are no guarantees, no. It may protect you from some things, so it increases your security, but depending on how keyloggers and malware in general are written they may still be at work.

  11. What does anyone recommend to find/combat/delete keyloggers? The only one I have heard of is Zemana. Is that any good? Does it just make me FEEL like I am protected?

    • There is nothing NOTHING that is 100% successful at stopping keyloggers. This is important: software keyloggers are just another form of malware. Do everything you normally do to prevent malware, and you’ll be preventing keyloggers.

  12. About the OSK: If I were to move the OSK around the screen between clicks, this would seem somewhat of a deterrent to malware determining keystroke by click location.

  13. Absolutely nothing is foolproof. One must always be careful when it comes to passwords, etc. I would never encourage anyone to keep passwords on the computer…never! Keep your computer scanned, using a very reputable Internet Security Program..Also there are great anti-malware programs to buy as well. Whenever you feel your computer or account may be compromised, I’d strongly suggest you call the involved financial institution or whatever to have them reset your password. Have your technician clean your computer as well.

  14. very good article leo, really appreciate it, keep up the good work. i hope i am still on the topic with my question. i would like to know something from an expert in this area like you. can i get my computer infected with such advanced keyloggers just by clicking on somebodys link without downloading and installing any files on my computer? or maybe even just by opening an email and without clicking on any links? how about just connecting an external disk (for example a memory card) to my computer? are all these things i’ve mentioned above really all that risky?

    • The answer is yes and no. It really depends on if you are being targeted or not. In other words, every single email, and every single thumbdrive, is not going to be full of malware. But some of them could be. I would like to point you at the following article which Leo just published:

      Always remember that when you are talking about a “Keylogger” that you are really simply talking about malware. In some instances you could also be talking about a hardware compromise. But in the long run, everything that you do to protect yourself from malware is also protecting you from Keyloggers.

  15. leo, buddy … the only way you will convince most earlier netizen respondents is for you to record a video and show (for each method) how a typical keylogger will successfully circumvent microsoft’s security features. btw, leo … thanks for sharing the knowledge ‘n expertise on the matter. you have, veritably, opened many others’ eyes.

  16. so clipboard can be watched do keyloggers also work if you have work from a vitual machine in combination with flash LIVE USB+Tails+VPN. can keyloggers even then log your paswords and such???

    if the answer is yes then people should buy software to protect themselves

    • This is a common misunderstanding about keyloggers. Think of it this way: a keylogger is a thief. Just like a thief who comes into your own home. You would never leave your door unlocked so that any thief can come in, and then work diligently to find clever ways to hide valuables inside. No. You would keep the door locked, and then live your life. So the whole strategy should be to keep keyloggers out of your computer… not what to do once they hack in. If you want to buy software to protect yourself spend that money on good malware protection.

    • A virtual machine wouldn’t stop all keyloggers. The keystrokes can be monitored at a lower level before the keystrokes get sent to the virtual machine. A virtual machine is simply a program which runs on your OS to install and run another OS. It doesn’t bypass your OS. It piggybacks on it. Running a live OS from a flash drive or optical disc would circumvent a software keylogger as it simply wouldn’t load, but it is still vulnerable to a hardware keylogger. The best protection against software keyloggers is the same as prevention of any kind of malware. The protection against hardware (and some software) keyloggers is to not allow anyone you don’t trust 100% to get their hands physically on your machine.

  17. I think using sandbox type software do help, for example, the ‘Sandboxie’ is free.They claim any external keylogger attempt will register an error message.Although I have not tested may be someone can put a light on it.

  18. Okay, so how do you get a keyloggger off your computer if you think you have one and what is the best program to do that?

  19. LastPass (from Logmein) in the best way to go, for convenience and remembering passwords.

    In 99% of cases, it is able to autofill your ID and password onto the screen

    I used to use Norton IDentity safe for a few years but it kept breaking after they removed their separate FREE version and incl it only with their products, or you free comcast or centurylink version, just had many issues with my customers ( I am a computer specialist that helps retire folks in Florida with their computer issues)

    I have been using last pass for well over a year and no issues…

    Pertinent to this conversation thread…..
    CAN ANY TECH COMMENT ON WHETHER OR NOT A PRODUCT LIKE LASTPASS OR ID SAFE OR WEBROOT that autofills passwords can have their autofilled passwords grabbedby a keylogger etc…

    • If you have a keylogger — or any form of malware — on your machine the passwords pasted in by pass vaults — all of them — can be captured. Malware can do anything.

  20. Also why not make use of firewalls that would monitor outgoing traffic (logged keystrokes sent to hacker) and block them?..
    [This is according to Keylogging software not hardware keyloggers..]

    • We should rely on not getting infected with malware — be it keyloggers or anything else — in the first place. Once you’re infected ALL bets are off.

  21. What about one time passwords? For example, Amazon accounts can be set up so that after entering a regular password, a one time password is sent to the user’s mobile number which then needs to be entered. As the name suggests, one time passwords can only be used once. Even if a one time password was recorded by keylogging/screen capture malware, it would be useless for future hacking attempts. Some banks also employ the one time password and regular password method.

    Do you think one time passwords can provide the last line of defence against malware if other defences fail?

      • There is one very specific exception to this — a way that two-factor can be compromised. If the keylogger is REAL TIME — meaning that the hacker is actively watching what you type as you type it, he could be responding to the very same two-factor prompt that you are at the same time (and the system has to allow two logins to happen simultaneously). This typically requires what’s called a man-in-the-middle attack, however, which is both difficult and extremely rare.

        • That’s one argument against receiving a one time password via email. But with SMS (text message) 2FA, the hacker would also have to be hacked into your phone. For SMS 2FA hacking, it seems like it’s theoretically possible to do but you’d have to be specifically targeted and the cost of doing that would make it almost a non-issue for the average person as there are so many easier targets.

          • Actually in the context of a keylogger I’m not concerned with how you get the phone, but where you’re entering it. Imagine a hacker has a keylogger installed on your system, and he’s watching it in real time. He watches you go to a site to login and — in real time — mimics every step you take. Including also entering the 2FA code you get that he sees. Like I said, rare, highly unlikely, but possible.

  22. This comment is only marginally related to the article but there is one thing I’ve found the Onscreen keyboard useful for. Somehow my computer was in Scroll Lock (ScrLk) mode and made navigating in Excel a disaster. My laptop doesn’t have a ScrLk key. Running the Onscreen keyboard gave me access to it to turn it off. So, it might help if you need a key which doesn’t happen to be on your physical keyboard.
    pictire of scroll lock on onscreen keyboard


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.