But there’s a completely simple way to defeat them, based on the fact that a keylogger doesn’t know where on the page the focus is when you’re typing — it has no context, it just has what is typed.
So, next time you login from a public internet terminal or somewhere else you want to make sure your keystrokes aren’t being logged, do this —
Put the focus on the password field, and type one character. Then click somewhere else on the page — open Notepad if you have to — and type a bunch of random characters. Then, click back in the password field, and type another character. Repeat until your password is complete.
Extremely simple, extremely effective. Without the context of where the focus was when you were typing, the resulting string of characters is useless.