Helping people with computers... one answer at a time.
A password tool may bypass a few keyloggers - but that's no reason to use it. You should be thinking of your overall computer and account safety.
Leo, if one uses a password filler such as RoboForm and your computer gets infected with a malware keylogger, can it pick up your passwords when you aren't actually typing them in? If not, this makes a very good case for having an encrypted password filler such as RoboForm or the others you've mentioned in past columns.
In this excerpt from Answercast #100 I look at why it's better to avoid malware all together than worry about certain things the malware may do if you are infected .
So to answer your specific question, "Can a keylogger log what is pasted by tools like RoboForm or LastPass?" The answer is no.
But before you go getting all excited, it's incredibly important to realize that if you've got a keylogger, you've got malware on your machine. Malware can actually do anything!
When we say "keylogger," we're only talking about a specific kind of malware. You could have other malware or you could have some other form of a keylogger.
One of the things that I talk about constantly, in several articles on my site, is ways of bypassing keyloggers.
"Keylogger" is a very unfortunate term. I say that because we think of keyloggers as logging only keystrokes. And that's why I said - if you've got a keylogger that's logging only keystrokes and if you're not making any keystrokes - there's nothing to log.
However, keyloggers that log only keystrokes are not the only kind of malware out there. They're not the only kind of keylogger that's out there.
A "keylogger" could very easily monitor and watch what's being pasted in by applications. It could monitor the funnel that RoboForm and LastPass use to put passwords into forms. Keyloggers can monitor a lot more than just keys. They can monitor mouse movement. They can take a screen shot to show where the mouse was clicked. They can do all sorts of things, for example, that would defeat onscreen keyboards.
Intercepting what's going on between RoboForm and LastPass and your browser and the places that those passwords are getting put is not that difficult for a more powerful keylogger.
In other words, it's not that hard for "malware." Cause that's all a keylogger is; it's just a form of malware.
So let's stop thinking about it as keyloggers and start thinking about it as malware. Malware can do anything - and, yes, absolutely... malware can capture what's happening between RoboForm and LastPass and your browser.
That's not an argument against using RoboForm or LastPass. We'll talk about that in a second. What it's a very strong argument for is - don't get malware in the first place!
Don't worry so much about keyloggers and worry more about malware in general. Don't let your machine get infected because whatever you get infected with (like I keep saying) it could do just about anything that it wants to!
So focus your energies on actually doing all the different things that it takes to stay malware free and less about trying to avoid specific types of malware like keyloggers that happen to log only keystrokes.
Now, RoboForm and LastPass still have a very, very important role. The reason I so strongly recommend people use RoboForm and LastPass is so that they are using multiple, different, hard to remember, secure, passwords on multiple sites.
Most people, if they're not using a tool like this do a number of things that compromise the security of passwords:
They use short passwords.
They use passwords that they can remember.
They write them on sticky notes.
They use the same password everywhere.
You get the idea. They do a lot of different things that basically reduces their overall security.
By using a tool like RoboForm or LastPass, you are then allowing yourself to:
Use complex passwords.
Use a different password for every site.
Use passwords that you may never remember - but you don't have to because RoboForm and LastPass are remembering it for you.
That's the value that they add. Hiding from malware, hiding from keyloggers
is not the point of these tools. Allowing you to use and choose more secure
passwords and use them more securely across all of your different logins -
that's why you want to use a tool like LastPass or RoboForm.
(Transcript lightly edited for readability.)
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.