use on screen keyboards using mouse action or use non-bios routines that remap key codes.

If you need this level of security you probably need to look at the whole environment and do some serious thinking.

If you use standard keyboards then the scancodes can be intercepted, if >you have standard PC's with non-custom OS then almost anything can be sniffed out.

(The moot list is in need of any good advice on this, basic discussion already covered)

It is possible using external HW to get keycodes and random numbers into a machine and to an application bypassing the entire OS keycode path ( hiding the codes, timing and quantity ) and to generate a simple font engine to allow an app to display characters without going through the OS font engine. In this way you could create a slightly secure app ( a mail client for instance ) on an insecure system like windows. It would still be easily attacked if it were specifically a target but would probably be immune to any general purpose loggers in either the keyboard path ( except on the kyb itself ) or the OS font engine. If you think the OS font engine can be trusted then you can create an app that given a handle feeds the keycodes to any standard application. Obviously your keys and plaintext will be in memory so could be copied by another thread that knew where to look.