Prevent keyloggers from grabbing your passwords

Scott dunn By Scott Dunn

Strong passwords are important, but even the best password won’t keep you safe from keyloggers — hardware and software that’s designed to secretly record your keystrokes.

Fortunately, there’s a way you can enter sensitive data so it’s extremely difficult for snoops to extract your passwords from keylogger files.

In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google’s Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8 Hacks: Tips & Tools for Unlocking the Power of Tablets and Desktops

Subscribe and get our monthly bonuses - free!

Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!



The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file.

Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers.

UPDATE 2009-09-24: In his Sept. 24, 2009, Top Story, Scott Dunn provides more tips for avoiding keyloggers when using a public PC.

Windows’ On-Screen Keyboard app is also logged

If you’re using a computer you aren’t sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion:
  • “I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:WINDOWSsystem32 directory, but there’s no shortcut or link to it, so most people don’t know it exists! You can launch it by entering osk in the Run command.

    “Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured.”
Kenneth’s suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows’ On-Screen Keyboard sends information to applications as keystrokes, just as though you’d pressed the keys on a keyboard.

The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor’s site.)

Holes in anti-keylogging software protection

Another alternative that’s often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can’t vouch for them.

Anti-keylogging software — even if it were effective in its stated mission — wouldn’t prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can’t detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter.

The universal defense against password snoops

Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.

Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the “revised Vesik method” for entering passwords:

  • Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.

  • Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)

  • Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.

  • Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.

  • Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.

This procedure clutters the keylogger’s log file with a series of click events and characters. There’s no easy way for the intruder to know which characters are your password and which are random.

The key is to select and gradually overtype gibberish characters with your actual password characters. Don’t simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can’t keep track of characters you select and overtype.

As Saxon points out, this method isn’t foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don’t use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.

However, most crooks are looking for “low-hanging fruit.” They’ll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.

Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don’t conceal their passwords in noise, so keyloggers don’t compensate for it.

If you have no choice but to sign in to a site on a PC you aren’t sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site.

Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend’s PC.

Contributing editor Scott Dunn is the co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
= Paid content

All Windows Secrets articles posted on 2009-09-10: