Nowadays keystroke logging is one of the most widespread threats used for password theft. In this paper, rather than detecting existing malware or creating a trusted tunnel in the kernel, we present a method called Broker to protect the password that a user provides for a web page to login to a web service. Installing such solutions in a host only requires limited privileges of related computers. The Broker method uses a second device and the Broker server to safely transfer users' account-related information. Comparing with previous work, the Broker method successfully separates user names and passwords so that even a second device and the Broker server are compromised, users still will not leak their private information to attackers. Finally, the Broker method can be applied to all websites without any modification of them.