Keylogger Resistance

I would like to see work to provide keylogger resistance. I think keyloggers are ultimately the weakest link in an encrypted password manager. You can have perfect encryption, you can never store decryption keys on disk, you can have perfect memory safety, and all it takes is a keylogger to sink you.

I wonder if it would be possible to use 2FA, or some other means, such as requiring the user to click portions of a picture, or type in a punch code using their mouse.

The idea, is that this information would be used to either retrieve from the bitwarden server, or generate, a key mapping that obscures the real master password.

So if configured correctly, when I type in “BitwardenIsTheBest” I actually get “OvgjneqraVfGurOrfg” (rot 13 to make this example, but it could actually be “randomized” based on the additional input, rather than a fixed formula like rot13).

In this way, even if you keylog my “BitwardenIsTheBest” password, you have to additionally have an exploit which allows you to read my browser’s memory to pull out the keymapping that turns it into the decryption password “OvgjneqraVfGurOrfg”. This could conceivably be stored until the browser is closed/memory is freed.

This additional factor would also provide insulation from dictionary attacks, as pass phrases would be scrambled into nonsensical words based on the additional input (the keycode selected via mouse, or physical 2FA key).