Helping people with computers... one answer at a time.
Regardless of what techniques a password utility might use, it is possible that it could still be logged, even if it bypasses the keyboard.
Do you know if a keylogger can read a password that Roboform2go fills in that is displayed only as dots on a site's web page?
In this excerpt from Answercast #56, I take another look at keylogging software and what it may be capturing from an infected machine.
Do I know for certain? No. The fact is that keyloggers should more correctly be considered to be "activity" loggers.
A couple of things are going on here. One is: just because something is displayed as dots doesn't mean that the keystrokes weren't given to the system as keystrokes.
Dots are common; that's typically how Password fields (the fields into which you type your password) will display the characters that you've typed in. They do that so that somebody walking by can't see your password on the screen: they're replaced by asterisks or dots.
Now, is Roboform2go entering keystrokes? I don't know. Are they bypassing keystrokes and doing something else fancy?
But you know what? It doesn't matter.
If you've got keylogging software on there, it could be logging anything! It could be logging all of the techniques that RoboForm or any other password software could be using. It could log any of that. And it could capture any of that.
The bottom line is...if you've got a keylogger on your machine, you've got malware on your machine and malware can do anything:
They can log your activity.
They can know what keystrokes were hit.
They can know what was on the screen.
They can know what was pasted in through the Clipboard.
They can know what was passed in under the table using backhanded Windows APIs that maybe some of these password utilities try to use to avoid common keystroke loggers.
You just don't know. It is very possible that regardless of what techniques this password utility uses it could still be logged regardless of how it bypasses the keyboard and what's displayed on the screen.
If you can't trust the machine you're about to enter a password on (and it
doesn't matter how you enter it), then you probably shouldn't enter your
password! There are too many ways that it can still be recorded.
Next from Answercast 56 - Is it OK to install this software that an online streaming service says I need?
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.