Are On-Screen Keyboards Really More Secure?

Using an on-screen keyboard to enter passwords and other personal data is a common technique for trying to reduce online fraud and crime. But does it really make any difference?

Lifehacker reader Anton wrote in to ask pretty much that exact question:

A quick question: I use on-screen keyboard when entering my bank passwords, credit card numbers, etc., in an effort to guard against malware. Is this a good idea or am I wasting my time?

Of course, using an on-screen (or ‘soft’) keyboard isn’t always a matter of choice: it’s the only option on touchscreen mobiles like the iPhone. Some online banking sites insist on using an on-screen keyboard to enter passwords (like the pictured example from Westpac). There’s also an on-screen keyboard built into Windows XP and subsequent versions, which is principally designed to help with accessibility but can also be used as a privacy booster.

The logic behind the on-screen keyboard as a security measure goes like this: it’s fairly easy to write a malicious program that tracks all the keystrokes that you type, and hence to steal passwords. It’s rather more difficult to track the movement of a mouse around the screen and link that to a specific character, so many malware authors aren’t going to bother.

Notice, though, how carefully qualified that last sentence was. It’s harder to track a mouse onscreen, but by no means impossible — especially in the case of a fixed on-screen keyboard for a banking application. With an intelligent guess at the most common screen resolution, it wouldn’t be too difficult, and modern malware is often tailored to very specific scenarios in just this way.

The bottom line? An on-screen keyboard certainly isn’t going to hurt, but you shouldn’t have it as your principle method of defence against online intruders (or nosy housemates). Make sure you’ve got decent security software, hard-to-guess passwords which you change regularly and proper wireless network security for starters. For online banking, two-factor authentication using SMS or a password generator also helps. With credit cards, follow common-sense steps to avoid fraud.