Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keyboard Sound Aids Password Cracking

Posted by CmdrTaco on from the but-i-love-clicky-keyboards dept.

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

7 of 389 comments (clear)

  1. Keyboard specific? by markass530 · · Score: 5, Insightful

    I'd have a hard time believing this method transcends all keyboard models, and all typists.

  2. applicability? by MooseTick · · Score: 5, Insightful

    If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.

    --
    Ninjas don't carry tic tacs
    1. Re:applicability? by TripMaster+Monkey · · Score: 5, Insightful


      How about a parabolic or shotgun mike?

      --
      ____

      ~ |rip/\/\aster /\/\onkey

  3. 75 attempts? by jlower · · Score: 4, Insightful

    '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.
    All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

    1. Re:75 attempts? by sammy+baby · · Score: 4, Insightful

      Plenty of them. Implementing a lockout out of X number of bad attempts can open you up to some hairy denial of service attacks. Want to lock out a user for a few hours? Just fail to login as that person 5 times.

      Not to say that the alternatives don't have their weaknesses, but this one certainly does as well.

  4. As the article says: by tabkey12 · · Score: 5, Insightful

    It just goes to show that when you have physical access to a computer, the security's already broken...

    --
    Get a free iPod Nano 4GB!
  5. Re:Use ASCII numerics, or pound the keyboard at lo by Psykechan · · Score: 3, Insightful

    I use the Dvorak layout myself. It would help prevent this in two ways.

    1. The keystroke timing would be much different
    2. Constantly making errors which require much backspace pressing