Helping people with computers... one answer at a time.

A password tool may bypass a few keyloggers - but that's no reason to use it. You should be thinking of your overall computer and account safety.

Leo, if one uses a password filler such as RoboForm and your computer gets infected with a malware keylogger, can it pick up your passwords when you aren't actually typing them in? If not, this makes a very good case for having an encrypted password filler such as RoboForm or the others you've mentioned in past columns.

In this excerpt from Answercast #100 I look at why it's better to avoid malware all together than worry about certain things the malware may do if you are infected .

Password tool bypassing keyloggers

So to answer your specific question, "Can a keylogger log what is pasted by tools like RoboForm or LastPass?" The answer is no.

But before you go getting all excited, it's incredibly important to realize that if you've got a keylogger, you've got malware on your machine. Malware can actually do anything!

When we say "keylogger," we're only talking about a specific kind of malware. You could have other malware or you could have some other form of a keylogger.

A Keylogger is malware

One of the things that I talk about constantly, in several articles on my site, is ways of bypassing keyloggers.

"Keylogger" is a very unfortunate term. I say that because we think of keyloggers as logging only keystrokes. And that's why I said - if you've got a keylogger that's logging only keystrokes and if you're not making any keystrokes - there's nothing to log.

However, keyloggers that log only keystrokes are not the only kind of malware out there. They're not the only kind of keylogger that's out there.

A "keylogger" could very easily monitor and watch what's being pasted in by applications. It could monitor the funnel that RoboForm and LastPass use to put passwords into forms. Keyloggers can monitor a lot more than just keys. They can monitor mouse movement. They can take a screen shot to show where the mouse was clicked. They can do all sorts of things, for example, that would defeat onscreen keyboards.

Intercepting what's going on between RoboForm and LastPass and your browser and the places that those passwords are getting put is not that difficult for a more powerful keylogger.

In other words, it's not that hard for "malware." Cause that's all a keylogger is; it's just a form of malware.

Prevent malware on your computer

So let's stop thinking about it as keyloggers and start thinking about it as malware. Malware can do anything - and, yes, absolutely... malware can capture what's happening between RoboForm and LastPass and your browser.

That's not an argument against using RoboForm or LastPass. We'll talk about that in a second. What it's a very strong argument for is - don't get malware in the first place!

Don't worry so much about keyloggers and worry more about malware in general. Don't let your machine get infected because whatever you get infected with (like I keep saying) it could do just about anything that it wants to!

So focus your energies on actually doing all the different things that it takes to stay malware free and less about trying to avoid specific types of malware like keyloggers that happen to log only keystrokes.

Password tools for security

Now, RoboForm and LastPass still have a very, very important role. The reason I so strongly recommend people use RoboForm and LastPass is so that they are using multiple, different, hard to remember, secure, passwords on multiple sites.

Most people, if they're not using a tool like this do a number of things that compromise the security of passwords:

  • They use short passwords.

  • They use passwords that they can remember.

  • They write them on sticky notes.

  • They use the same password everywhere.

You get the idea. They do a lot of different things that basically reduces their overall security.

Increase your overall security

By using a tool like RoboForm or LastPass, you are then allowing yourself to:

  • Use complex passwords.

  • Use a different password for every site.

  • Use passwords that you may never remember - but you don't have to because RoboForm and LastPass are remembering it for you.

That's the value that they add. Hiding from malware, hiding from keyloggers is not the point of these tools. Allowing you to use and choose more secure passwords and use them more securely across all of your different logins - that's why you want to use a tool like LastPass or RoboForm.

(Transcript lightly edited for readability.)

Article C6372 - March 30, 2013 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
JakeC
April 2, 2013 7:08 AM

Thanks Leo. I've been using RoboForm for years and have wondered about this myself. I guess we can't protect ourselves against everything, but I definitley feel more secure using RoboForm.

Tony M.
April 3, 2013 5:35 AM

I've been using LastPass for about a year or so; I haven't had any problems. However, highly technical/proprietary information aside, I wish I knew a little more about how it does its job.

The reason for my concern? I'm using LastPass ONLY because it's highly recommended ... not just by Leo, by the way, but also by many other credible mainstream sources. However, without knowing a little more about the way it works, I remain feeling a little unsettled, frankly. I'm just one of those folks who tries to understand, thus helping me to make better use of a product as well as understanding its limitations and vulnerabilities, if any.

Actually a couple of years ago Steve Gibson dove into Lastpass in some detail. He dedicated an entire episode of the "Security Now" podcast to it: Episode 256 recorded July 9, 2010: LastPass Security. I know Lastpass gets mentioned at other times on the show, but that particular episode is what convinced me.
Leo
03-Apr-2013

Greycoat
April 4, 2013 7:38 AM

I agree the main concern and point is to avoid keeping malware off one's computer in the first place if possible; however, when you try out freeware like I do even downloaded from reputable download sites, even testing it with VirusTotal and Jotti if it falls within their size limitations, mistakes do happen. So I do use Last Pass now and just started yesterday using a program from Alpin Software called Neo’s SafeKeys v3 which compliments or rather addresses the "shortcomings" Leo so keenly addressed that password managers don't address concerning malware, i.e. mouse movements and screen captures by malware. This little package looks like a nice little addition to address those concerns and it's free too. You can install either the portable version or the installer self install version and I would personally do the portable version and create your own shortcut. Ran both through VirusTotal and the portable (current version) came up clean and the self installer version when checked out by VirusTotal's antivirus's 46 scanners had just one hit, most likely a false positive from TrendMicro-HouseCall for TROJ_GEN.F47V0723. By the way, I have the installer file on my computer and ran the commercial online version of HouseCall yesterday and it was scanned with the rest of my system with no problems detected, i.e. no hits like VirusTotal reported. BitDefender Free Antivirus and Malwarebytes found no problem either. The downloadable Microsoft antivirus scanner found no problem on the file either and that is why I say it most likely is a false positive. But to be completely safe, just download the portable version if the free program meets a need, run it yourself through VirusTotal, unzip it, and put it in your program files folder, create a shortcut to the .exe file, and give it a try. You can enter passwords using this little keyboard that can be transparent, so they claim, to malware screen captures and mouse movements. Leo if you see this I would love your expert opinion on this software (Alpin did not come up in a search on your site), and if there is something better out there, particularly free like this one, I'd love to read the review and check it out too. :)

K.Vee.Shanker.
April 10, 2013 2:26 AM

Thanks Leo. The problem with most of us that definitely includes myself, is we unconciously believe every facility/security to be perfect. Only after reading the articles like yours, I've started recognizing the inherent limitations & vulnerabilties (as nicely put by Tony) in any arrangement/system.

I'm grateful to all of you (Leo and his commentors) for that.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.