How Keystroke Logging Can be Used to Hack Passwords
One of the best techniques for capturing passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they’re typed into the computer. Interesting technique, but it works.
Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for their guidance, and get approval from upper management.
Tools for Keystroke Logging
With keystroke-logging tools, you can assess the log files of your application to see what passwords people are using:
Keystroke-logging applications can be installed on the monitored computer. You should check out eBlaster and Spector Pro by SpectorSoft. Another popular tool is Invisible KeyLogger Stealth. Dozens of other such tools are available on the Internet.
Hardware-based tools, such as KeyGhost, fit between the keyboard and the computer or replace the keyboard altogether.
A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in.
Countermeasures to Keystroke Logging
The best defense against the installation of keystroke-logging software on your systems is to use an anti-malware program or similar endpoint protection software that monitors the local host. It’s not foolproof but can help. As for physical keyloggers, you’ll need to visually inspect each system.
The potential for hackers to install keystroke-logging software is another reason to ensure that users aren’t downloading and installing random shareware or opening attachments in unsolicited e-mails. Consider locking down your desktops by setting the appropriate user rights through security policy in Windows. Alternatively, you could use a commercial lockdown program, such as Fortres 101 for Windows or Deep Freeze Enterprise for Windows, Linux, and Mac OS X.