[humblebee]

> A virtual keyboard, with keys that display in random order, is available to deter others from learning your password.

This is a weird way to describe keyloggers if that is actually what they are talking about.

The random order I don't understand either unless the "keylogger" is also recording mouse positions.

Otherwise, if this is actually talking about over shoulder lookers it probably has the exact opposite effect because of the increased time require to enter a password.

[pkamb]

The "random keypad order" is used on secure physical keypads, which display a random order of numbers so that fingerprints, key wear, etc. can't be used to isolate the keys being pressed over time.

[jeffmk]

I'm also curious how this is more effective at stopping a keylogger than copy/pasting from a password manager, or auto-logging in via one.

Unless it's common for keyloggers to monitor the clipboard?

In which case, for the system they've developed to seemingly work as intended, you'll have to either have a memorizable password (likely relatively insecure), or have your password written down at hand.

I'm skeptical that this nonstandard, hostile UX was designed with any sort of valid threat analysis rather some kind of Rube Goldberg-esque security-through-obscurity scheme that "sounded good" during some meeting.

[discreditable]

It sounds like they learned password security from Runescape.

[ben_jones]

The irony is that if someone managed to install a keylogger, they could've installed any other RATing tool such that the machine itself and everything it touches it completely compromised.

[Cpoll]

I imagine 99% of keyloggers are the 'put this on as many machines as possible and look for worthwhile logins' type, which are well-thwarted by this approach.

Anything more bespoke than that is probably much rarer.

[dddddaviddddd]

Might not necessarily apply to a hardware keylogger, which an attacker might use to reduce the risk of detection in software.

[astine]

"The random order I don't understand either unless the "keylogger" is also recording mouse positions."

I would bet that that is exactly what they are worried about. This seems to me to be a really hacky way to solve that problem. If you actually need to address the possibility of keyloggers then some sort of 2FA setup would be simpler, more standard, would address a wider variety of potential security problems, and would create less friction for the user.