Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keyboard Sound Aids Password Cracking

Posted by CmdrTaco on from the but-i-love-clicky-keyboards dept.

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

18 of 389 comments (clear)

  1. Keyboard specific? by markass530 · · Score: 5, Insightful

    I'd have a hard time believing this method transcends all keyboard models, and all typists.

    1. Re:Keyboard specific? by Anonymous Coward · · Score: 1, Insightful

      how bout these types

  2. applicability? by MooseTick · · Score: 5, Insightful

    If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.

    --
    Ninjas don't carry tic tacs
    1. Re:applicability? by TripMaster+Monkey · · Score: 5, Insightful


      How about a parabolic or shotgun mike?

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:applicability? by someone300 · · Score: 2, Insightful

      A tiny wireless microphone can be taped underneath the keyboard.

      A camera would have to be given the right viewpoint, would likely be bigger, and the keyboard might move out of the camera's range.

  3. 75 attempts? by jlower · · Score: 4, Insightful

    '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.
    All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

    1. Re:75 attempts? by sammy+baby · · Score: 4, Insightful

      Plenty of them. Implementing a lockout out of X number of bad attempts can open you up to some hairy denial of service attacks. Want to lock out a user for a few hours? Just fail to login as that person 5 times.

      Not to say that the alternatives don't have their weaknesses, but this one certainly does as well.

    2. Re:75 attempts? by gamer4Life · · Score: 2, Insightful

      You can program it to guess the password 3 times a day and within several weeks, the password will be yours. Still a reasonable timeframe.

      Of course if the person changes the password every 3 weeks...

    3. Re:75 attempts? by chinadrum · · Score: 2, Insightful

      One would hope you'd be locked out before then. The problem is that most people don't use random passwords. When the keys you record return Fluf[]y you can guess the missing letter mom typed was 'f' to fill in Fluffy. Bang one try. It's back to the old physical security deal.

    4. Re:75 attempts? by SatanicPuppy · · Score: 2, Insightful

      Where I work it's three times, and the lockout on the critical systems doesn't expire--you have to be reactivated by an admin. The exception is root, but root can only log on when sitting in front of the keyboard, in the multi-locked and monitored server room.

      Most of our connectivity is onsite anyway...VPN access is pretty tightly regulated...so for us to be DOS vulnerable, the attacker would have to be inside the building, on the network, and by "on" I mean "plugged into" because my boss thinks "wireless security" is an oxymoron.

      It's more maintenance and more of a pain in the butt to work with than a less secure system, but we never have security related problems.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  4. As the article says: by tabkey12 · · Score: 5, Insightful

    It just goes to show that when you have physical access to a computer, the security's already broken...

    --
    Get a free iPod Nano 4GB!
  5. good idea by tont0r · · Score: 2, Insightful

    i like how they used basic methods of cryptanalysis in order to help find out what is what. an example is how they mentioned about the Digraphs such as TH from THE, which is a very common word. so its easy to pick out from the group because you can 'listen' for the space bar key and if only 3 keys are hit and they have been matching others, you can then find out what E is.
    then lets say you find out whats THE is, then you find another word that is 5 letters that starts with 'THE', then you are going to find out what R is, then what I is (from there and their) and so on and so on. so good for them for just using basic methods :)

  6. Different sounds by Namronorman · · Score: 2, Insightful

    I notice that keys I use the most are the loudest and sound different, probably from wear. Stating that, how easy would this cracking method work on a brand new keyboard (or perhaps a laptop keyboard)?

    --
    $fortune
    Tomorrow has been canceled due to lack of interest.
  7. Step 6. by Spy+der+Mann · · Score: 2, Insightful

    Make sure nobody does the same thing to you.

  8. Re:Use ASCII numerics, or pound the keyboard at lo by Psykechan · · Score: 3, Insightful

    I use the Dvorak layout myself. It would help prevent this in two ways.

    1. The keystroke timing would be much different
    2. Constantly making errors which require much backspace pressing

  9. Re:Redbox for keyboards now? by X0563511 · · Score: 2, Insightful

    and then the'll just use a notch filter and take the human vocal range out, leaving plenty of low and high freq sounds to play with.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  10. Extending this to 3 mircophones by hcob$ · · Score: 2, Insightful

    would probably jump the percentage much higher since then you could accoustically triangulate where the sound came from. Just a thought....

    --
    Cliff Claven
    K.E.G. Party Chairman
    Founding Leader of: Koncerned for Egalitarin Governance
  11. Passwords are obsolete by marcybots · · Score: 2, Insightful

    Isnt it time that computer security experts just give up on the idea of passwords? Instead of trying to get users to use ever increasingly complex passwords they can never remember why dont we just invent a new system of security? Its obvious the password paradigm of computer security is not very effective, and we should move beyond it and start reaching for new ideas instead of fixing a flawed old one.