Editing Keystroke logging (section)

== Countermeasures ==
The effectiveness of countermeasures varies because keyloggers use a variety of techniques to capture data and the countermeasure needs to be effective against the particular data capture technique. In the case of Windows 10 keylogging by Microsoft, changing certain privacy settings may disable it.<ref>{{cite web|url=http://www.spyrix.com/3-methods-to-disable-windows-10-built-in-spy-keylogger.php|author=Alex Stim|title=3 methods to disable Windows 10 built-in Spy Keylogger|date=2015-10-28}}</ref> An on-screen keyboard will be effective against hardware keyloggers; transparency{{Clarify|reason=|date=January 2021}} will defeat some—but not all—screen loggers. An [[anti-spyware]] application that can only disable hook-based keyloggers will be ineffective against kernel-based keyloggers.

Keylogger program authors may be able to update their program's code to adapt to countermeasures that have proven effective against it.

=== Anti-keyloggers ===
{{Main|Anti-keylogger}}
An [[anti-keylogger]] is a piece of [[software]] specifically designed to detect keyloggers on a computer, typically comparing all files in the computer against a database of keyloggers, looking for similarities which might indicate the presence of a hidden keylogger. As anti-keyloggers have been designed specifically to detect keyloggers, they have the potential to be more effective than conventional antivirus software; some antivirus software do not consider keyloggers to be malware, as under some circumstances a keylogger can be considered a legitimate piece of software.<ref>{{Cite web
 |url = http://www.securitysupervisor.com/security-q-a/computer-security/218-what-is-anti-keylogger
 |title = What is Anti Keylogger?
 |date = 23 August 2018
}}</ref>

=== Live CD/USB ===
Rebooting the computer using a [[Live CD]] or write-protected [[Live USB]] is a possible countermeasure against software keyloggers if the CD is clean of malware and the operating system contained on it is secured and fully patched so that it cannot be infected as soon as it is started. Booting a different operating system does not impact the use of a hardware or BIOS based keylogger.

=== Anti-spyware / Anti-virus programs ===
Many [[anti-spyware]] applications can detect some software based keyloggers and quarantine, disable, or remove them. However, because many keylogging programs are legitimate pieces of software under some circumstances, anti-spyware often neglects to label keylogging programs as spyware or a virus. These applications can detect software-based keyloggers based on patterns in [[Subroutine|executable code]], [[heuristics]] and keylogger behaviors (such as the use of [[Hooking|hooks]] and certain [[Application programming interface|API]]s).

No software-based anti-spyware application can be 100% effective against all keyloggers.<ref>{{Cite journal|last=Creutzburg|first=Reiner|date=2017-01-29|title=The strange world of keyloggers - an overview, Part I|url=https://www.ingentaconnect.com/content/ist/ei/2017/00002017/00000006/art00019|journal=Electronic Imaging|volume=2017|issue=6|pages=139–148|doi=10.2352/ISSN.2470-1173.2017.6.MOBMU-313|url-access=subscription}}</ref> Software-based anti-spyware cannot defeat non-software keyloggers (for example, hardware keyloggers attached to keyboards will always receive keystrokes before any software-based anti-spyware application).

The particular technique that the anti-spyware application uses will influence its potential effectiveness against software keyloggers. As a general rule, anti-spyware applications with [[Ring (computer security)|higher privileges]] will defeat keyloggers with lower privileges. For example, a hook-based anti-spyware application cannot defeat a kernel-based keylogger (as the keylogger will receive the keystroke messages before the anti-spyware application), but it could potentially defeat hook- and API-based keyloggers.

=== Network monitors ===
[[Network monitoring|Network monitors]] (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from "[[phoning home]]" with their typed information.

=== Automatic form filler programs ===
{{Main|Form filler}}
Automatic form-filling programs may prevent keylogging by removing the requirement for a user to type personal details and passwords using the keyboard. [[Form filler]]s are primarily designed for [[Web browser]]s to fill in checkout pages and log users into their accounts. Once the user's account and [[credit card]] information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or [[Clipboard (software)|clipboard]], thereby reducing the possibility that private data is being recorded. However, someone with physical access to the machine may still be able to install software that can intercept this information elsewhere in the operating system or while in transit on the network. ([[Transport Layer Security]] (TLS) reduces the risk that data in transit may be intercepted by [[Packet analyzer|network sniffers]] and [[Proxy server|proxy tools]].)

=== One-time passwords (OTP) ===
Using [[one-time password]]s may prevent unauthorized access to an account which has had its login details exposed to an attacker via a keylogger, as each password is invalidated as soon as it is used. This solution may be useful for someone using a public computer. However, an attacker who has remote control over such a computer can simply wait for the victim to enter their credentials before performing unauthorized transactions on their behalf while their session is active.

Another common way to protect access codes from being stolen by keystroke loggers is by asking users to provide a few randomly selected characters from their authentication code. For example, they might be asked to enter the 2nd, 5th, and 8th characters. Even if someone is watching the user or using a keystroke logger, they would only get a few characters from the code without knowing their positions.<ref>{{Cite journal |last1=Goring |first1=Stuart P. |last2=Rabaiotti |first2=Joseph R. |last3=Jones |first3=Antonia J. |date=2007-09-01 |title=Anti-keylogging measures for secure Internet login: An example of the law of unintended consequences |url=https://www.sciencedirect.com/science/article/pii/S0167404807000569 |journal=Computers & Security |volume=26 |issue=6 |pages=421–426 |doi=10.1016/j.cose.2007.05.003 |issn=0167-4048|url-access=subscription }}</ref>

=== Security tokens ===
Use of [[smart card]]s or other [[security token]]s may improve security against [[replay attack]]s in the face of a successful keylogging attack, as accessing protected information would require both the (hardware) security token as well as the appropriate password/passphrase. Knowing the keystrokes, mouse actions, display, clipboard, etc. used on one computer will not subsequently help an attacker gain access to the protected resource. Some security tokens work as a type of hardware-assisted one-time password system, and others implement a cryptographic [[challenge–response authentication]], which can improve security in a manner conceptually similar to one time passwords. [[Card reader|Smartcard readers]] and their associated keypads for [[Personal identification number|PIN]] entry may be vulnerable to keystroke logging through a so-called [[supply chain attack]]<ref>{{cite web|url=https://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines/|author=Austin Modine|title=Organized crime tampers with European card swipe devices|date=2008-10-10|access-date=2009-04-18|website=The Register}}</ref> where an attacker substitutes the card reader/PIN entry hardware for one which records the user's PIN.

=== On-screen keyboards ===
Most on-screen keyboards (such as the on-screen keyboard that comes with [[Windows XP]]) send normal keyboard event messages to the external target program to type text. Software key loggers can log these typed characters sent from one program to another.<ref>{{cite web|url=http://windowssecrets.com/top-story/prevent-keyloggers-from-grabbing-your-passwords/|author=Scott Dunn|title=Prevent keyloggers from grabbing your passwords|date=2009-09-10|access-date=2014-05-10|publisher=Windows Secrets}}</ref>

=== Keystroke interference software ===
Keystroke interference software is also available.<ref>{{cite web|url=http://networkintercept.com/keystrokeinterference.html |author=Christopher Ciabarra |title=Anti Keylogger |date=2009-06-10 |publisher=Networkintercept.com |url-status=dead |archive-url=https://web.archive.org/web/20100626093658/http://networkintercept.com/keystrokeinterference.html |archive-date=2010-06-26 }}</ref>
These programs attempt to trick keyloggers by introducing random keystrokes, although this simply results in the keylogger recording more information than it needs to. An attacker has the task of extracting the keystrokes of interest—the security of this mechanism, specifically how well it stands up to [[cryptanalysis]], is unclear.

=== Speech recognition ===
Similar to on-screen keyboards, [[Speech recognition|speech-to-text conversion]] software can also be used against keyloggers, since there are no typing or mouse movements involved. The weakest point of using voice-recognition software may be how the software sends the recognized text to target software after the user's speech has been processed.

=== Handwriting recognition and mouse gestures ===
Many [[Personal digital assistant|PDA]]s and lately [[tablet computer|tablet PC]]s can already convert pen (also called stylus) movements on their [[touchscreen]]s to computer understandable text successfully. [[Mouse gestures]] use this principle by using mouse movements instead of a stylus. Mouse gesture programs convert these strokes to user-definable actions, such as typing text. Similarly, [[graphics tablet]]s and [[light pen]]s can be used to input these gestures, however, these are becoming less common.{{Clarify timeframe|date=January 2021}}

The same potential weakness of speech recognition applies to this technique as well.

=== Macro expanders/recorders ===
With the help of many programs, a seemingly meaningless text can be expanded to a meaningful text and most of the time context-sensitively, e.g. "en.wikipedia.org" can be expanded when a web browser window has the focus. The biggest weakness of this technique is that these programs send their keystrokes directly to the target program. However, this can be overcome by using [[# Nontechnological methods|the 'alternating' technique described below]], i.e. sending mouse clicks to non-responsive areas of the target program, sending meaningless keys, sending another mouse click to the target area (e.g. password field) and switching back-and-forth.

=== Deceptive typing ===
Alternating between typing the login credentials and typing characters somewhere else in the focus window<ref>{{cite web|url=http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf|title=How To Login From an Internet Cafe Without Worrying About Keyloggers|publisher=[[Microsoft Research]]|author=Cormac Herley and Dinei Florencio|date=2006-02-06|access-date=2008-09-23}}</ref> can cause a keylogger to record more information than it needs to, but this could be easily filtered out by an attacker. Similarly, a user can move their cursor using the mouse while typing, causing the logged keystrokes to be in the wrong order e.g., by typing a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter. Lastly, someone can also use [[context menu]]s to remove, [[cut, copy, and paste]] parts of the typed text without using the keyboard. An attacker who can capture only parts of a password will have a larger [[key space (cryptography)|key space]] to attack if they choose to execute a [[brute-force attack]].

Another very similar technique uses the fact that any selected text portion is replaced by the next key typed. e.g., if the password is "secret", one could type "s", then some dummy keys "asdf". These dummy characters could then be selected with the mouse, and the next character from the password "e" typed, which replaces the dummy characters "asdf".

These techniques assume incorrectly that keystroke logging software cannot directly monitor the clipboard, the selected text in a form, or take a screenshot every time a keystroke or mouse click occurs. They may, however, be effective against some hardware keyloggers.