It may not be the most secure method, but itâs certainly the easiest way to deliver some keylogger protection without doing major changes in the backend code. The methods you mentioned are not âstandardâ as a virtual keyboard (which many people have already seen in banks), how much of code refactor will it really need to be safety implemented?
This is fairly trivial stuff â for some definition of trivial (like yes thereâs work, but itâs not like building a whole new application, itâs augmentation of the authentication workflow). Effectively weâre just talking about a functional transform on bytes, strictly speaking thereâs no reason the password needs to anything more than a normalized byte sequence (this is all math behind the scenes).
Even ârealâ passwords are fed through a key expansion algorithm for AES (and pretty much any other serious encryption algorithm). This would just be a preprocessing step based on some secondary data.
Figuring out how to generate the secondary data is the hard part. Rot13 isnât a super practical example as itâs very local to US style keyboards, the English Alphabet, and Arabic Numerals. Itâs also fixed so any attack on Bitwarden could just reverse the trivial transform.
Iâm sure itâs this difficulty thatâs (understandably) slowed any kind of progress on this. I mena, you could simplify this idea down to a dropdown that says âPick your favorite colorâ. That would then select a different algorithm behind the scenes based on the colors, and potentially tied to the account. That would explode every garbage password by N*X âcolor/userâ combinations.
Such an approach could make even âPassword1â a difficult to crack password if Bitwardenâs servers were to have a leak, because âPassword1â was âsaltedâ another time with an unknown (okay, known to be in a set âNâ) secondary secret, protect against software and hardware keyloggers (though not if the software keylogger could also screengrab), and just generally be a pain in the butt for an attacker.
The complexity introduced would be storing the selection of algorithms for a particular user, adding a dropdown, and then adding the algorithm to the JS library⊠This is basic âdevelopmentâ work, modulo picking the algorithms to use to modify the password.
Really⊠You could just use one key, and have this be a user selectable salt that gets mixed in with the password salt. So the ârealâ password for purposes of authenticating against a hash is âUserInputâ.âUser Saltâ.âUser Selected Saltâ. Then you apply the same concept to the AES key extension (Iâm assuming âUser Saltâ doesnât play a role in this though I donât know Bitwardens Crypto code â this is kind of âabstractâ), and effectively âsaltsâ the password input and decryption key.
Password1.Blue in effect becomes âPassword1.<Bitwarden Stored Salt Correspoinding to User XXXâs Blue>â.
EDIT: The more I think about it if I ever decide to go back for a PhD this would be a really interesting space to explore
A virtual keyboard would be only a matter of frontend design and some basic JavaScript
This is not trivial stuff. Thereâs a lot of complexity in making a virtual keyboard. I guess you could just âlist keysâ as buttons, and have a picker for keyboard âlayoutâ that picks those keys. Then youâve got to figure out how to make that all pretty.
models of hardware keylogger in this random shop I found
Most people Iâd argue are not concerned about defending from hardware keyloggers. Software keyloggers are the bigger issue. Itâs bad enough to have a machine compromised, if itâs been compromised at a hardware level, thatâs an entirely different extreme.ââ
EDIT: Also if your concern is a hardware based keylogger⊠Just use your operating systemâs onscreen keyboard.