edit: I should preface this by saying that there are two goals when it comes to countering keyloggers, the primary goal is to protect from the attacker being able to get any keystrokes at all, a lesser goal is to protect from the attacker stealing a password that can be used for authentication. Also, I am using keystroke information interchangeably with user input. There are two types of keylogger, hardware and software. They come in various levels of sophistication. The shittiest hardware keyloggers are just a connection piece that you place between the keyboards USB connector and the computers USB connector. They record all of the keystrokes and then forward them on to the computer. You can spot these simply by looking for them. Virtual keyboards protect from this sort of keylogger because the input comes from the mouse. There are slightly more advanced hardware keyloggers that work in essentially the same way, but which can be hidden better, inside of the keyboard itself for example. These are harder to find but virtual keyboards protect from them as well. The more sophisticated hardware keyloggers can not so easily be defeated. They use extremely tiny cameras and position them so they can view the keyboard as it is typed on. Or they analyze transient electromagnetic information and use it to pull the entire monitors display from a substantial distance, or to determine keystrokes based on the sounds of typing, also from great distance. Maybe they plug into the power grid and gather keystroke information that leaks into it. Protecting from this sort of attack is much harder, and requires a combination of surveillance technology to detect physical intrusions (or keeping your laptop on you 24/7) and shielded equipment/rooms to prevent information leakage. Software keyloggers also come in various forms. The least sophisticated of them will be defeated by a virtual keyboard because they monitor input from the keyboard and ignore the mouse. However most people use much more advanced software keyloggers that also monitor mouse position. Even the mouse/keyboard monitoring software keyloggers can be defeated by using a virtual keyboard that randomly rearranges the position of the keys every time one is clicked. However, even more advanced software keyloggers will take a screenshot every time a mouse button is clicked, and many of them just constantly record what is happening on the screen. You can even get around software keyloggers that monitor everything on the screen by using one time password systems, the password is good for authentication exactly one time and then a new one needs to be generated. The server and the client both have a piece of secret information that allows them to keep synched up with what the appropriate password should be, but the attacker can not guess future passwords from current passwords so they are still screwed. banks use technology like this quite a bit, but it is possible to implement these systems without specialized hardware. https://en.wikipedia.org/wiki/One-time_password OTP pretty much defeats a keyloggers ability to steal a password that can be used for authentication at a later point in time. In the grand scheme of things I think that virtual keyboards are a waste of time. Theoretically they can protect from some simple keyloggers, but in practice no significant attacker uses such primitive keyloggers. IMO virtual keyboards are largely just a marketing gimmick because they make people feel more secure. OTPs can be effective at preventing keyloggers from stealing a password that can be used for future authentication, but they wont protect you from the attacker spying on your keystrokes.