Are virtual keyboards not necessary anymore to protect against keyloggers?

Virtual keyboards were an easy-to-implement solution to malware that recorded keystrokes from the keyboard and hardware keyloggers.

But the keylogger software developers quickly adjusted to this new technique (sometimes by simply taking a screenshot focused around where the mouse clicks).

In the end, it is not clear that a virtual keyboard provided any broad benefit. It would certainly defeat a hardware keylogger installed on your keyboard, but that's not the likely threat.

Given that keylogging software expects to also capture virtual keyboards, there is little benefit to maintaining this technology in the broad, likely scenario.

Tests have been done on the effectiveness of virtual keyboards:

https://www.raymond.cc/blog/how-to-beat-keyloggers-to-protect-your-identity/


Virtual keyboards are commonly used in banking sites because they have (at least) two neat pros:

  • they protect the password from naive keyloggers
  • they prevent the user from storing the password in a file

But they do have cons:

  • specialized keyloggers can still spy the passwords (see @schroeder's answer for a more in-depth explanation)
  • then prevent usage of complex passwords (12 to 20 random characters) stored in a decent password manager like keepass

As far as I am concerned, I do not like them because of that. But I must admit that they may add some security for non-security-aware users. The problem with them is that as they require a rather weak password (at most 6 to 8 digits), the bank could be blamed in case of compromise.

With standard passwords, users can choose a strong password (and are advised to do so). So if they do not, they are fully responsible in case of compromise and cannot blame the bank.


One of the motivations behind a virtual keyboard was the risk posed by the usage of pc's in cyber cafes, kiosks etc by users to access banking websites in the past and reliance on password based authentications...With more users now having a mobile/personal devices that risk has come down.Some banking sites would have both options and provide recommendation when to use which.Large scale usage of multifactor/out of the band authentication/verification for banking transactions has also reduced the risk.

If you have a keylogger installed on your machine you have bigger problems.With advanced keyloggers a virtual keyboard is not very effective.

Tags:

Client Side

Web Browser

Keyloggers

Recent Posts