Help      |      Chebucto Home      |      News      |      Contact Us     

68. Knowing how to be fully secure:
Foiling keyboard loggers

By Mark Alberstat

Dear Mousepad,

I run Windows XP with firewall and antivirus protection, and scan once in awhile for spyware. The only security concern I have is the possibility of hidden keystroke loggers catching a password. The question is, how can I protect myself against these?

Name Withheld

In this age of spam, viruses, malware and spyware, one of the more insidious traps lurking on the Internet are keyboard loggers.

In short, keyboard loggers are small programs that get loaded onto your machine, without your knowledge, and log every keystroke you make. When you go online, the program secretly sends the log file to its creator, who then has a file that may contain your user name, passwords and other vital but confidential information. Mac users are relatively safe, as the vast majority of these programs exploit holes in Microsoft Windows security and the large number of Windows-based machines connected to the Internet.

There are a few preventative steps against this type of malicious software. The first is to always have a virus scanner running on your machine and keep it updated. This is always your first line of defense. It is also a good practice to have the virus scanner scan your computer once a week to double-check for any problems. The same can be said for anti-spyware software. Up-to-date and regular scans are a necessity in today's wired world.

If you are concerned about keyboard loggers grabbing your password or even your PIN, one way to fool them is to type your password with a few extra letters or numbers and then backspace over those characters not in your password. The logger will catch the entire password, false characters included, but will not be able to tell what characters you backspaced over. All that will be logged is that you hit the backspace, or delete key and the number of times.

Another way around keyboard loggers is to keep a document on hand that has a list of all of your passwords and usernames. This file could be encrypted or just kept on your computer or a floppy drive. When you are at a site that needs a login, simply open the file, copy the needed information into memory and paste it into the required form field.

The problem with this method is that some websites could have a javascript running that can easily read what is in your Windows clipboard and copy it, with all of that happening completely without your knowledge or approval.

To see this in action, copy a bit of text and then go to:

If you are using Internet Explorer just as Microsoft delivers it to you, you will see the contents of your clipboard displayed in a textbox. If you are using Firefox or (thanks to a reader's help) a Mac with Safari or the Mac version of IE, you will not see anything in the box as these browsers do not allow the javascript to grab text from your computer's memory. Imagine your surprise if you do this exercise and see your password or bank account number in that box.

If you want to continue using Internet Explorer but turn off this access point to your information, you will have to open Internet Explorer, click on the Tools menu then the Internet Options sub-menu. In the window that opens click the Security tab. Under web content zones, select Internet and then the Custom Level button. Scroll down until you see Scripting and Disable "Allow paste operations via script." Click Ok out of these menus and your computer will be a safer place.

It is important to note that anything you copy into your computer's memory is in there until you copy something else in, thus erasing what was there, or by restarting or shutting off your computer.

The Mousepad runs every two weeks. It's a service of Chebucto Community Net, a community-owned Internet provider. If you have a question about computing, email If we use your question in a column, we'll send you a free mousepad.


The Mousepad Index


Originally published 18 September 2005


Our community is online here!


A feature of the Halifax Herald