[Someone1234]

As an aside: Everyone who read this article, please keep in mind that the process injection model used by these pieces of adware is exactly what your typical "keylogger" uses also.

No malware literally logs keys typed anymore. I cannot stress that point enough. Instead they log form submissions (e.g. POST requests) which give the malware author much more useful information they can data mine in an automated way (e.g. URL, named parameters, etc). This works even on a "secure" page (e.g. HTTPS with extended certificate).

I'm super tired of supposed power users or "geeks" telling others to copy/paste in their username/passwords to improve security. That's not how this works, it isn't how any of this works. Nobody reads raw key-streams, they're completely useless because they fail to contain CONTEXT (i.e. where you typed what).

Sorry, just a pet peeve of mine. The term "keylogger" is largely a misnomer. A more accurate name would be "credential hijacking" or "form submission theft." A lot of malware actually use standard injected JavaScript to add event hooks to a page, to fire the data back to a evil browser extensions.

[extc]

This points out why I don't understand websites that force you do create the most obnoxious password that you won't ever remember. "Must be 16 characters with lowercase and uppercase and a number and a special character."

No one's account is getting broken into by password guessers. Your obnoxious 16 character password will be stolen just as well as a 1 character password.

[bhayden]

Don't a lot of login forms hash passwords with JS before sending it over the internet? Wouldn't it then be useless to anyone listening?

[Someone1234]

I cannot think of a popular site which does this.

If that provides security really depends on what the "bad guys" are hooking. If they're placing event triggers straight onto text box/button/form elements themselves (either through JavaScript or grabbing something akin to Win32 messages) then that wouldn't do anything at all.

Even if they did grab the raw POST request (which is somewhat common) a hash would only provide security if it was merged with an anti-forgery token sent from the server, otherwise the "bad guy" could just re-post the exact same hash and login anyway.

I think it really boils down to how popular your site is. If for example Facebook did that, because it is popular enough with the "bad guys" they're going to spend the time circumventing any JavaScript-based security you could implement.

[csixty4]

> I cannot think of a popular site which does this.

LiveJournal used to do it. No idea if they still do. I don't think it ever caught on.

[bhayden]

> "bad guy" could just re-post the exact same hash and login anyway.

That's true, thanks for the response.

[__xtrimsky]

Not a single company I worked for. I guess it's simply because JS doesn't include hashing, whereas PHP it's simply a matter of calling sha1(). But it is pretty easy to include, I guess people just don't think about it.

[stephenr]

Please for the love of donuts and bacon don't use sha1() to hash passwords.