Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user's keystrokes. It can be useful to determine sources of error in computer systems. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. However, keyloggers are widely available on the internet and can be used by anyone for the same purposes.

Keystroke logging can be achieved by both hardware and software means. Commercially available systems include devices which are attached to the keyboard cable (and thus are instantly installable, but visible if the user makes a thorough inspection) and also devices which can be installed in keyboards (and are thus invisible, but require some basic knowledge of soldering to install).

Writing software applications for keylogging is trivial, and like any computer program can be distributed as a trojan horse or as part of a virus or worm. What is not trivial however, is installing a keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker.

Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper (their paper from '96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging trojan is installed using a virus (or worm). An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board (e.g. Usenet).

Young and Yung also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as unused. This can done using a USB token. So, the trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as cryptovirology.

The FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr. He pleaded guilty to running an illegal gambling operation in 2002 ("Mobster's son pleads guilty of gambling; computer spying helped seal case" Associated Press, 1 Mar 2002). The FBI has also reportedly developed a trojan-horse-delivered keylogger program known as Magic Lantern.

There is no easy way to prevent keylogging. The best strategy is to use common sense and a combination of several methods, including observing the programs which are installed, being aware of devices connected to USB ports, and enabling firewalls.

It is sometimes said that an on-screen keyboard is a way to combat these, as it only requires clicks of the mouse. However, this is not true, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text typed with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen.

The web-based on-screen keyboard may provide some degree of protection. At least some commercial keylogging programs do not record typing on the web-based virtual keyboard. However, the keylogging software can take screenshots.

In addition, using automatic form-filling programs helps prevent keylogging by not using the keyboard at all.