What is the idea of passwords with random buttons position

Other answers have talked about key loggers, and how they would defeat this mechanism, but I can think of other attacks it would protect against:

  • Looking at the grease marks on a touch screen where somebody regularly enters the same code. For instance, the code to unlock a phone, or a door entry system where the screen isn't used for anything else.
  • Shoulder surfing, where the attacker can see the movement of the user's hand, but not what's on the screen. This could be somebody physically behind the user whose view is partially obstructed, or it could be a camera that doesn't have the screen in its field of view.

Using a randomized software keyboard for password input is based on the misconception that it can prevent key loggers. It can somewhat effectively prevent hardware key logger from capturing the login data.

In a weak sense, it also prevents some naive software key loggers from capturing login data, however as you correctly mentioned, a slightly better keylogger can trivially take screencaps as well to defeat this measure, and a more sophisticated one can just install a browser add-on to capture the password before it's sent to the server.

Since hardware key logger is much rarer compared to software key loggers, in most sites where such randomized software keyboard is implemented, it is really only a sign of the developer being clueless that such measures are ineffective against most keyloggers.


This is commonly used by banks. As already explained, it provides an additional security against keyloggers. It also prevents the password to be directly stored in the browser, which is poor security practice if no master password is used. It should be noticed anyway that is has an important drawback: it prevents the user from using a long random password stored in a password manager.

The rationale behind that is that banks have no confidence in users to be able to choose and manage strong passwords, so at least they make sure that the user has not stored its password in the browser without a master password.

TL/DR: it adds no security for users actually concerned by best security practices, but it limits the worst security practices that too much users would apply.

Tags:

Passwords