Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will Using a Password Vault Thwart a Keylogger?

Sometimes. But you’re asking the wrong question.

Looking at your keystrokes . . .
(Image: canva.com)
A password tool may bypass a few keyloggers, but not all. Think about your overall computer and account safety first.
Question: Leo, if one uses a password filler such as RoboForm or LastPass and your computer gets infected with a malware keylogger, can it pick up your passwords when you aren’t actually typing them in? If not, this makes a very good case for having an encrypted password filler such as RoboForm or the others you’ve mentioned in past columns.

The answer is both yes and no.

Using a password vault to fill in your password can, indeed, bypass certain types of keyloggers: no keystrokes typed, no keystrokes to log.

However, and this is important: not all keystroke loggers work that way. You may still be at risk.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Password Vaults vs Keyloggers

Keyloggers are just a form of malware, and can log much more than just physical keystrokes, including all the different ways credentials might be entered by a password vault. The intent of a password vault is not to bypass malware, but to make it easier to have strong password security across all your accounts. Avoiding all malware, including keyloggers, is the most important way to stay safe.

The simple answer: you can’t assume

The only safe answer is to assume that the keystroke logger can indeed log your password entries, regardless of how they’re entered.

The problem is in the name: “keystroke” logger. Monitoring physical keystrokes is only one way a keystroke logger can compromise your security. There are many others.

To understand this, we need to address a much larger issue: if you have a keystroke logger on your machine, you have malware on your machine.

And once it’s in place, malware can do anything.

Logging keystrokes

Keylogger” is an unfortunate term. I say that because we think of keyloggers as logging only keystrokes. That’s why I said if a keylogger logs only keystrokes, then by not making any keystrokes, there’s nothing to log.

Again, keyloggers are malware, and malware can do anything. Keylogging may be only one of your worries.

Logging more than keystrokes

Hackers are aware of all of the techniques people use to try and bypass them, so the form of malware we incorrectly call keyloggers has become more sophisticated. Here are just a few ways that malware can log beyond keystrokes:

  • Intercept the path a physical keystroke takes, as I mentioned above, logging the actual keystrokes.
  • Intercept the path clipboard entries take (some password-entry techniques involve the clipboard).
  • Intercept your browser’s data entry code and monitor anything you enter into the browser.
  • Take and save screenshots with every mouse click when an on-screen keyboard is used.

Using a password vault is likely only to thwart the first keylogging technique. You may still be vulnerable to the rest.

Intercepting what’s going on between your password vault and the places those passwords get entered is not that difficult for a powerful keylogger.

Prevent malware

Let’s stop thinking about them as keyloggers and start thinking about it as malware. Malware can do anything, and, yes, absolutely: malware can capture what’s happening between your password vault and your browser.

That’s not an argument against using password vaults. I’ll talk about that in a second. What it’s a very strong argument for is: don’t get malware in the first place!

Don’t worry so much about keyloggers (or any other specific type of malware), and worry more about malware in general. Don’t let your machine get infected, because whatever you get infected with, like I keep saying, can do just about anything it wants to.

So focus your energies on doing more of what it takes to stay malware-free, and less about trying to avoid specific types of malware (like keyloggers that happen to log only keystrokes).

Password tools for security

Password vaults have a very, very important role. The reason I so strongly recommend them is so you can more easily use multiple different, hard-to-remember, secure passwords on multiple sites.

People who don’t use a tool like this tend to do a number of things that compromise the security of passwords:

  • They use short passwords.
  • They use passwords they can remember.
  • They write them on sticky notes.
  • They use the same password everywhere.

All of these techniques and more reduce their overall security.

Increase your overall security

By using a password vault, you allow yourself to:

That’s the value they add.

Hiding from malware, including keyloggers, is not the point of these tools.

Allowing you to use and choose more secure passwords and use them more securely across all of your different logins — that’s why you want to use a password vault.

Do this

  1. Start using a password vault.
  2. Subscribe to Confident Computing! More confidence & less frustration — solutions, answers, & tips — in your inbox every week.

Podcast audio

Play

6 comments on “Will Using a Password Vault Thwart a Keylogger?”

  1. Thanks Leo. I’ve been using RoboForm for years and have wondered about this myself. I guess we can’t protect ourselves against everything, but I definitley feel more secure using RoboForm.

    Reply
  2. I’ve been using LastPass for about a year or so; I haven’t had any problems. However, highly technical/proprietary information aside, I wish I knew a little more about how it does its job.

    The reason for my concern? I’m using LastPass ONLY because it’s highly recommended … not just by Leo, by the way, but also by many other credible mainstream sources. However, without knowing a little more about the way it works, I remain feeling a little unsettled, frankly. I’m just one of those folks who tries to understand, thus helping me to make better use of a product as well as understanding its limitations and vulnerabilities, if any.

    Actually a couple of years ago Steve Gibson dove into Lastpass in some detail. He dedicated an entire episode of the “Security Now” podcast to it: Episode 256 recorded July 9, 2010: LastPass Security. I know Lastpass gets mentioned at other times on the show, but that particular episode is what convinced me.

    Leo
    03-Apr-2013

    Reply
  3. I agree the main concern and point is to avoid keeping malware off one’s computer in the first place if possible; however, when you try out freeware like I do even downloaded from reputable download sites, even testing it with VirusTotal and Jotti if it falls within their size limitations, mistakes do happen. So I do use Last Pass now and just started yesterday using a program from Alpin Software called Neo’s SafeKeys v3 which compliments or rather addresses the “shortcomings” Leo so keenly addressed that password managers don’t address concerning malware, i.e. mouse movements and screen captures by malware. This little package looks like a nice little addition to address those concerns and it’s free too. You can install either the portable version or the installer self install version and I would personally do the portable version and create your own shortcut. Ran both through VirusTotal and the portable (current version) came up clean and the self installer version when checked out by VirusTotal’s antivirus’s 46 scanners had just one hit, most likely a false positive from TrendMicro-HouseCall for TROJ_GEN.F47V0723. By the way, I have the installer file on my computer and ran the commercial online version of HouseCall yesterday and it was scanned with the rest of my system with no problems detected, i.e. no hits like VirusTotal reported. BitDefender Free Antivirus and Malwarebytes found no problem either. The downloadable Microsoft antivirus scanner found no problem on the file either and that is why I say it most likely is a false positive. But to be completely safe, just download the portable version if the free program meets a need, run it yourself through VirusTotal, unzip it, and put it in your program files folder, create a shortcut to the .exe file, and give it a try. You can enter passwords using this little keyboard that can be transparent, so they claim, to malware screen captures and mouse movements. Leo if you see this I would love your expert opinion on this software (Alpin did not come up in a search on your site), and if there is something better out there, particularly free like this one, I’d love to read the review and check it out too. :)

    Reply
  4. Thanks Leo. The problem with most of us that definitely includes myself, is we unconciously believe every facility/security to be perfect. Only after reading the articles like yours, I’ve started recognizing the inherent limitations & vulnerabilties (as nicely put by Tony) in any arrangement/system.

    I’m grateful to all of you (Leo and his commentors) for that.

    Reply
  5. In short… be nearly certain your computer is secure before entering sensitive info into it and chances are you will be fine.

    which basically boils down to clean installing ones OS (i.e. wipe hard drive and install Windows etc from scratch). then from now on just be careful on what you allow to run on your computer and don’t install any shady browser extensions etc as doing this general info will go along way in keeping ones computer secure.

    Reply
    • I have a friend who teaches IT at a vocational school. He does his online banking and other financial transactions such as online shopping using a live Linux distribution. That would thwart all but physical keyloggers installed between the keyboard and the computer. It’s cumbersome and probably relies on written down passwords, but all online banking here uses second factor authentication, so that mitigates the danger of writing down passwords.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.