Tactile Passwords vs Shoulder Surfing

holy_calamity writes "Entering passwords using a tactile interface would remove two of the main vulnerabilities of using keyboards and alphanumeric passwords say UK researchers. They're using sequences of tactile icons on a VTPlayer tactile mouse instead. Shapes are displayed using the 16-pin tactile displays under the user's fore and middle fingers. As well as being almost impossible for anyone else to observe, tactile passwords can't be guessable in the same way as many conventional ones, they say. A video shows it all in action." Not that the video really helps explain it very well.

Impossible?

[cerberusss]

being almost impossible for anyone else to observe

Except for Superman...

Re:Impossible?

[twistedsymphony]

Yeah but can Superman properly identify a Kitten?

Re:Impossible?

[durnurd]

If you've got Superman trying to steal your password, I think you've got bigger problems than an insecure password.

special tactile mouse needed ..

[rs232]

You don't need any special tactile mouse. The same could be achieved using a clickable image map showing a keypad with the numbers in random locations. You get a different map each time you enter the site. So keyloggers wouldn't be of any use.

Re:special tactile mouse needed ..

[The+Evil+Couch]

However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry.

Re:special tactile mouse needed ..

[chalkyj]

The same could be achieved using a clickable image map showing a keypad with the numbers in random locations.

TFA says that they're looking into using it for ATM machines. An image on an ATM machine would be considerably less secure than a keypad type device.

Re:special tactile mouse needed ..

[rs232]

"However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry."

Actual pin is 1234

Standard keypad layout ..

789
456
123

The screen shows ..

251
369
847

You click on 8473. The next time round it's a different keypad layout.

Re:special tactile mouse needed ..

They NEED it for ATMs so they can do fingerprint scans on everyone who uses it. Dont you know the government wants to track everything (except elections)

Re:special tactile mouse needed ..

[Arimus]

Why not replace the fixed labeled keys with keys with microscreens and change which key is which each and every time - then put a screen around the keyboard so that when you stand behind/next to someone the angle of view is such that you can not make out the legends... then knowing the pattern of keys is useless.

Re:special tactile mouse needed ..

[sxpert]

that pretty dumbass comment doesn't take into account that some people are blind, thus can't see the pretty pictures on the stupid screen

Re:special tactile mouse needed ..

[ConceptJunkie]

I worked for a company, now part of Honeywell, that made access control keypads that work exactly how you describe. It was a really good product, but for the life of me, I can't remember the name of it.

Re:special tactile mouse needed ..

[rs232]

"that pretty dumbass comment doesn't take into account that some people are blind", sxpert

Ok, It was just a suggestion, the idea probably needs a little more work. How do the visually impared use the VTPlayer when they have to ..

"a user moves the mouse over a grid of nine blank squares displayed on a computer screen"

Re:special tactile mouse needed ..

[whyloginwhysubscribe]

Like an Optimus Keyboard?
I can't help but think that it would take too long to find each individual key. I suppose they could just display the numbers that are in your PIN and perhaps put them in the correct order so that it would be easier to find them.
Why dont they ask for just 2 or 3 numbers from your PIN, like the way they do on online banking systems? Works well for me...

Re:special tactile mouse needed ..

[Mr.+Mindless]

using it on Automatic Teller Machine machines?

good god it's brilliant!

they could be connected via Network Interface Card cards!

Re:special tactile mouse needed ..

Oh but who cares about the minority? Fuck the minority.

I can't even view the damn video, and I'm not even blind!

Hello, you either have JavaScript turned off or an old version of Macromedia's Flash Player. Click here to get the latest flash player.

Hello, Macroshitia Flash is not available for my platform, fucking gnash can't play it, and fucking mplayer can't play the fucking .flv because it's fucking compressed. Click here to see pictures of women eating shit.

I'm a masochist.

Re:special tactile mouse needed ..

[way2trivial]

uh- no ING uses this for login, it looks like a keypad, but you the letters (more than one to a box) move around per login

so you are presented with a grid of letters over nine boxes about three in each box. and you click your letters...
asteriks appear in the box- what they represent, a shoulder surfer couldn't know.

if my pinword is "spaghetti" then I click boxes to follow that word, next time- it'll be different boxes.

Re:special tactile mouse needed ..

[Monsieur+Canard]

Hirsch makes these, I think they call them Scramble-Prox or something like that. You present your badge and then enter a PIN on a keypad that scrambles the layout after each user.

Re:special tactile mouse needed ..

[rs232]

"You present your badge and then enter a PIN on a keypad that scrambles the layout after each user."

Another good idea I should have patented ..

Re:special tactile mouse needed ..

[Tim+C]

I'm shoulder-surfing you.

Actual pin is 1234

I don't know that.

Standard keypad layout ..

I know that.

The screen shows ..

251
369
847

I can see that.

You click on 8473.

I see that.

The next time round it's a different keypad layout.

But that doesn't matter, because the first time round I mapped 8473 to 1234 in my head as I watched you do it.

This is security through obscurity; it relies on one or both of:

1) me not realising that the keypad represents the "normal" numeric keypad, mixed up
2) me not being able to perform the reverse of the mapping you're doing to enter your PIN.

1) is solvable by my simply perusing the site, even if I don't guess. 2) isn't a reasonable assumption to make about most people.

Re:special tactile mouse needed ..

[ConceptJunkie]

Thank you. Hirsch was one of our clients and the one for whom I worked. I even went there in 2001. They are nice folks with some neat products.

Are you allowed senior moments when you are only 41?

Re:special tactile mouse needed ..

[Monsieur+Canard]

I certainly hope so being 41 myself. If we're not then I'm going to blame it on all the brain cells that valiantly gave their lives so that I might drink in college.

Re:special tactile mouse needed ..

[jacksonj04]

Easy mistake to make though. "ASP page" is the correct use of the acronym ASP, even though it actually means "Active Server Pages page".

Re:special tactile mouse needed ..

[Peyna]

The federal building I work in has these keypads on every secure door within the building. (Exterior doors have manned guards and RF card access for employees).

Another nice feature is that the numbers that are randomly displayed in different places are only visible when viewed straight on; so the guy standing next to you might see where your fingers go, but he won't see what number was displayed on that key at that time.

Re:special tactile mouse needed ..

[Peyna]

ScrmablePad.

Re:special tactile mouse needed ..

[rs232]

"This is security through obscurity"

Well, yea, the method fails the logic test. Another poster mentioned a real keypad that scrambles the numbers. With a shield around the keypad then I would assume that shoulder-surfing wouldn't work.

Re:special tactile mouse needed ..

[Tordek]

Wow, you even scrambled the letters to show an example!

Re:special tactile mouse needed ..

[ConceptJunkie]

The problem is that I didn't drink all that much in college. I'm finding more and more that while my memory doesn't seem to be really decreasing, it takes me significantly longer to pull up names (especially of places or people) that I haven't thought of in a while. I also have the attention span of a gnat when it comes to appointments and other mundane details, but I can't blame that on age, as I've always been that way. I was late for my own birth.

Re:special tactile mouse needed ..

[ConceptJunkie]

These are great devices and are used in a lot of places around the U.S., including some of our major airports. I haven't been involved with Hirsch in over 4 years, but I always figured they'd be around for a long time. It's not particularly high-tech, but it's solid, flexible technology, which after all, is all anyone should really want.

Re:special tactile mouse needed ..

[Spurion]

Do you actually know your PIN? I just remember the shape of the key sequence I need to press - it's all in "muscle memory". I have to think quite hard to know what the actual numbers are so I'd be pretty much stuck with the interface you suggest :)

Re:special tactile mouse needed ..

[Mister+Whirly]

Or you can use the low-tech method I use - I cover the keypad with the hand that isn't entering the PIN. Or, position yourself so that only your back is visible to the person behind you. Sometimes people give me strange looks, but screw it - I'd rather be paranoid and have money in my bank account than overly trusting and broke.

Re:special tactile mouse needed ..

[Fred_A]

You present your badge and then enter a PIN on a keypad that scrambles the layout after each user.

Much more simple would be using wheels driving the display of numbers ( a bit like on luggage) and a "validate PIN" button. The terminal could reset the values to something random (or to 0000 or whatever) as soon as the validate key has been pressed.

That would make it very hard for an onlooker to read, especially with recessed displays.

Re:special tactile mouse needed ..

[Fred_A]

Actually it only works on automatic ATM machines when you enter your personal PIN number.

Re:special tactile mouse needed ..

[advocate_one]

not to mention the fact there's a new "keylogger" that grabs the small rea around the mouse pointer as it's moving on the screen and so can capture the relevant parts of the image to get the password...

Re:special tactile mouse needed ..

[siwelwerd]

My bank does something similar with their online banking. They put up a clickable image of a keyboard and make you key in your PIN/password by mouse. It is a complete PITA. Plus, it takes me much longer to mouse click it in that to punch it in on the keyboard, so it seems like it could be even more at risk of shoulder surfing.

Re:special tactile mouse needed ..

[loonicks]

ING Direct bank does something like this for logins. There are a series of numbered icons in the same pattern every time, but they have a random map of letters assigned to them. You can click the icons or enter in the corresponding letter sequence if you are extra paranoid.

Example:
1 2 3
4 5 6
7 8 9

map:
P G M
R C W
Q Y K

Note these are together on the same icons.
If my pin is "12345", I can click the icons with my mouse, or enter in "PGMRC" into a text box. You are not allowed to enter numbers in the box.

Re:special tactile mouse needed ..

[devilspgd]

While true, ATMs often have voice interfaces too if you have headphones handy.

That pretty much cuts out shoulder surfing since the ATM can communicate with you and only you.

One possible scheme would be that the ATM would tell you via a tone if the next character should be legit, or bogus. Bogus ones would be ignored, the legit ones would form your PIN. As long as the order and frequency of the legit vs bogus keys were sufficiently random, knowing the digits and order wouldn't make a difference.

How could the video explain it?

[badfish99]

No wonder that the video does not help to explain it very well. TFA says "it is almost impossible for anyone else to observe"

Re:How could the video explain it?

[TechForensics]

This appears to work by giving tactile feedback when your mouse cursor touches one of the password elements (squares) so you click there and not elsewhere. At least, that's the simplest way I can imagine it would work.

Re:How could the video explain it?

[Kijori]

That wouldn't work - that way anyone could do it! There is tactile feedback for every square - you have to identify the particular pattern of pins that represents each 'digit' of your PIN.

And youtube

[Gr8Apes]

suffers a melt-down @ 8:35am EST on Monday morning.

Re:And youtube

[solevita]

I'm not so sure: YouTube has one of the biggest tubes of the whole internets, the clue's in the name.

Re:And youtube

[Speare]

Oblig: YouTube is not like a truck you can just dump a bunch of video on.

How do you figure that the demand on one boring nerdy video at 8:35am EST Monday is going to somehow be more than the demand for five thousand videos of a pair of mock-slutty half-drunk teen girls singing Britney songs in their kitchen, viewed at 8:35pm PST Thursday evening?

Re:And youtube

[aplusjimages]

. . . a pair of mock-slutty half-drunk teen girls singing Britney songs in their kitchen . . .

Link please. I've got to see this.

if we are going to add new hardware

then there are better ways to do it.

Also vulnerable to all other methods to obtain passwords except over the shoulder,

Whistler: Fellas, Janek's little black box is on his desk between the pencil jar and the lamp.
Mother: Uh, Whistler, I hate to tell you this, but you're blind.

Er...

[tygerstripes]

Well... it is an interesting concept, and I like how they've made it work. Thing is, the problem is never the system, but the people using it. Shoulder-surfing shoudl be nigh-on impossible when the user touch-types at anything approaching a decent speed - it's the two-finger-jabbers who make it easy. The passwords themselves are only easy to guess because people are total gimps.

Cool though this tech is, there is nothing so clever that fools can't render it worthless.

Re:Er...

[bomb_number_20]

I agree that it's mostly the people using the technology as opposed to the technoogy itself. Sometimes the environments aren't very well thought out, though.

I always pay attention at ATMs and public terminals. I've noticed that 1) most people make absolutely no effort to hide their keystrokes and 2) most establishments make no effort to hide the little pad people use to enter their passwords or PIN. The absolute worst are those internet cafes that put people with their backs to a street-facing window so that anyone walking by can happen across private information. Further, the little 'ding' sounds that the ATMs make when you hit a button can help clue a listener in as to what the pin might be. When you hear someone type 'ding ding ding ding' in rapid succession, it's a pretty safe bet that they are typing the same number 4 times. If you somehow get their card and are guessing at their PIN number, that alone considerably reduces your pool. I don't think it's really _that_ big a deal, but I always thought they should remove the sounds from those things.

Sometimes how you type is is important as what you type. It sounds stupid but, If I'm in a public place, I ususally mistype my password on purpose. I do it in hopes that a combination of wrong keystrokes, backspace characters and fast typing will throw someone off who may be watching and listening to the click of keystrokes. Not that what I'm typing is ever that important anyway, but every bit of noise helps.

Re:Er...

[slocan]

Maybe developing a new password input device is easier done, than changing people's habits.

Shoulder surfing?

[AnimeDTA]

Being bored at work, I took up using the Dvorak keyboard layout. My passwords however retain the same unconcious keyboard patterns as they did on a standard keyboard. Without even thinking of what my password is I can type it. For a while I didn't even know my own passwords were... this proved to be a problem when i had to check email and wasn't at my computer. But it definately ends the shoulder surfing for passwords.

I ended up typing my passwords a few times in notepad and memorized the gibberish that is my password now. Other than that I'd have to be trying to know what my fingers are pressing when i go into password mode.

Re:Shoulder surfing?

[140Mandak262Jamuna]

What you just have one password? One password for all your accounts? The same password for the accounts in your work, for your accounts with your bank and brokerage account, and for the web mail and for the rarely visited "registration required" sites? That is insane.

My personal password policy: I have four kinds of passwords. The highest and most secure ones are for the work accounts and my financial institutions. The next ones are for the web merchants who know my mailing address and credit card numbers. The third kind is the one where there is no money involved and thus not attractive to hackers like my webmail or slashdot. The fourth one is for home network, the router, the dsl PPPoE account, home machines administrator passwords.

No two account I have use exactly the same password. Even if a bent sys admin snags my password, he/she cant damage anything more than account.

Re:Shoulder surfing?

[masterzora]

Given all the references to "passwords" in the GP, I'd take it that he is also using multiple passwords.

Re:Shoulder surfing?

[RzUpAnmsCwrds]

This, more than anything, shows the failure of passwords. Few people are willing or able to memorize numerous passwords. That's why I don't use them for anything that needs to be really secure. I have a bank password (and PIN), but that's about it. My E-TRADE account uses a cryptographic-RNG-based system and I use key-based authentication for SSH.

not enough bits

[kwikrick]

16 mechanical pins, that is 16 bits of information, two bytes, typically equialent to two ASCII characters. Most passwords are required to be at least five characters. Add to that the fact that many pin-combinations are not useable because they are hard to distinguish, I would guess that amounts to maybe a few hundred usefull passwords. Not so secure then is it?

Re:not enough bits

[sciscitor]

The 16 mechanical pins are used to create the braille characters, you don't poke them down individually to creat you password. Check out the video or the article, they help. On another note, i think that something like this is a major advantage in defending against password theft through video recording as most of the action is happening under your fingers and is therefore impossible to intercept.

Re:not enough bits

[kwikrick]

you are right, but this only makes it worse! The article mentions nine blank squares on a screen from which to choose. That means if I steal someone's ATM card, and if I get three chances (as is the case now with typing a PIN code) to guess the right square, that means I have 33% chance to hit the jackpot!

Obviously, having more squares reduces the chance of succesfully guessing the password, but scanning lots of squares with a tactile mouse will take for ever.

The best solution I can think of is to have only two squares on the screen at the same time (left and right), and you have to 'enter' a sequence by choosing left/right a number of times. Hmmm, that might actually work.

Re:not enough bits

FYI: You have more than one screen.

AKA:
897
153
426
then
589
632
471
then
321
549
687
So you can type in normal numeric passowrds but it's time consuming.

Re:not enough bits

[mxolisi06]

From TFA:

The sequence of tactons and squares is randomised each time

So for each try you always have 1/9 chance to hit the jackpot, no matter how many times you try.

With this system, the number which you should compare to the 8 bits character for traditional passwords would be the number of tactile patterns your finger is able to recognise (at least as many as braille characters ?) This number would then be multiplied by the number of patterns you have to recognise (4 in their experimental set-up).

Re:not enough bits

[Gemini_25_RB]

I think the idea was that you are inputting a password (the normal 5+ characters) except that you can't see what you're inputting, you can only feel it. You password could still be 1-2-3-4-5, which means you float your mouse over the nine boxes looking for the one that causes only one bump to pop up on your mouse. You click that box. Then you do the same for the next number, and so on, and so forth.

I must say, however, that this will be quite time consuming. I'm not sure if the boxes reset after every input (which they probably should, that way duplicates are easily detected), but that would definitely magnify the time needed.

Augmented shoulder surfing

[StupidKatz]

In the case of normal humans, I agree with you regarding shoulder surfing not being a horrible problem.

However, with the arrival of smaller and smaller video recorders, this could indeed be a decent solution for those forced to use passwords at terminals in (more) public places.

Though, the smaller entropy pool would likely become a problem if measures aren't taken to counter brute-force attacks...

Re:Augmented shoulder surfing

[SanityInAnarchy]

There's an additional two things I do other than touch-typing to throw people off: I use Dvorak, and I (used to) have a five-second timeout on a password that takes me 2 and a half seconds to type. If someone got my password, they almost certainly couldn't type it fast enough.

Re:Augmented shoulder surfing

[devilspgd]

Better hope you don't break a finger...

Re:Augmented shoulder surfing

[SanityInAnarchy]

Given sufficient time alone, I could use bootloader tricks and such to gain access -- the timeout isn't absolute. But I dont do this anymore, and I've never broken a finger.

Re:Augmented shoulder surfing

[devilspgd]

Sure -- I suspect most of us could hack our own configurations if we needed to -- Given physical access, unless you have strong encryption, it's always possible.

However, if you did manage to break a finger (or even end up with an arm in a sling for a while) it would be a royal pain if you didn't have a backdoor.

Personally, whenever coming up with an "inventive" password entry scheme, I always leave a second way in, a long complex password I memorize the way to reconstruct it, but never use, so it can't be observed.

Re:Augmented shoulder surfing

[DeadChobi]

I use 21-26 character passwords that I construct out of sentences for important stuff. Then I attach a meaningful string of numbers to the end of it to make it a stronger password. The length of the sentences makes it pretty difficult to use a dictionary and the rules of the language to narrow down what I'm typing, especially if I reference things that people who don't know me wouldn't understand. In my case, proper nouns make my password stronger. I use the sentences as mnemonics so I can reconstruct the password if I memorize the sentence. I think I'd be pretty safe from shoulder-surfing even when I'm entering a PIN because I can key things in pretty damn fast. Yes, even at shopping centers where they require you to use a pen to press buttons. Those are horribly insecure, by the way. I can enter a 9-digit number in about 3 seconds using a stylus and a touch screen.

Yet again something that won't work for everyone

[PrescriptionWarning]

This obviously won't work for someone without the use of both hands, or who has the feeling removed from their hands (a stranger?). However the biggest problem I would see is for the everyday person who may not be able to tell enough of a difference between each touch thingy to be able to enter their touchcode reliably a majority of the time. Though I suppose we'd learn if we had to, it just seems that the main reason why the blind get really good at reading braille is because they don't have a choice, not to mention they have a lot more processing power from their brain going to their other non-visual senses.

Nice approach

[suv4x4]

This device is a very nice and tender approach to a problem.

Sort of like killing a fly with a bulldozer.

Conflict

[suv4x4]

Anyone else see a conflict between those two statements:

...being almost impossible for anyone else to observe..... ...A video shows it all in action...

I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.

That could make it hard to quickly enter a password even if you know it.

-------

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help.

It won't help to protect you from your competitor or a black hat hacker who installed spyware on your PC.

Re:Conflict

[mxolisi06]

I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.

In actual situations, as the name "tactile" suggests, the user's fingers will lay on the pads, so nothing will be observable.

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help. It won't help to protect you from your competitor or a black hat hacker who installed spyware on your PC.

It seems to me that this method does protect from keyloggers. First, you'd need a mouselogger, since login isn't done via keyboard. But the thing is you'd need access to the piece of memory that maps the 9 squares to different tactile patterns, because the mapping changes each time. In short, you'd need root access to the machine, and then you don't need to guess the password anymore...

Re:Conflict

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help.

man, if my boss was threatening to "peak" over my shoulder, i'd just tell him the damn password.

Re:Conflict

Actually, you only need access to a mouse-logger. Something has to send the tactile pattern to the mouse. All you need to do is log the pattern that was present at each click. Sorted.

This is still just 'something you know' that you are telling to the computer, which you trust explicitly. It has the benefit of not being visible to passers by, but is still broken.

The secure authentication system will not run any general purpose code, will be able to identify itself to the user, and will be used for authentication only, not financial entry or gameplaying.

Crazy idea

[Ice+Wewe]

This will sound crazy. But, I recently saw a review for a keyboard that had little organic LCDs for each key. Now, I'm not saying thats a good idea, infact, it sounds like a huge waste of energy. However, you could do what other people are suggesting, and that is change the key map each time, and have those little screen personal protector things on it. I forget what they're called, but you can buy them for your PC, and laptop, monitor, and it will reduce the viewing angle to the person sitting immediately infront of them. Hence, you can see your keyboard, but no one else can.

Re:Crazy idea

[mackyrae]

http://www.artlebedev.com/everything/optimus/

That'd be the Optimus. I like it for the simple fact of not having to poke around trying to learn where the keys are when typing in foreign languages. It makes doing much easier. That being an example. was the only of the 3 letters that I found without 5+ attempts.

The gamers I know like it because they said not all games follow the standard commands (e=enter...I think?), so having them change on the keys depending on the game would make it easier. I don't know many gamers who look down at their hands while playing though.

Re:Crazy idea

[amuzulo]

You're describing the Optimus Keyboard:

http://www.artlebedev.com/everything/optimus/

And once again...

[Penfold1234]

... no one has thought of the lepers.

My Solution

[thorkyl]

Let's just put small DNA testers on each PC.

Then all you have to do is stick something in the hole to donate a blood sample.

--
Stupid people breeding has lead us to the current government

Re:My Solution

[Aqualung812]

Then all you have to do is stick something in the hole...

You just put down the red carpet for the one-liners...

Re:My Solution

[mackyrae]

There are fingerprint-scanning computers. One of my roommates has one on her laptop.

Re:My Solution

Ethan Hawk already figuerd out a way circumvent this in the movie gattica

Re:My Solution

[StikyPad]

Wow, that sounds secure!

Re:My Solution

[skingers6894]

ahhh it's just the thin end of the wedge!, That DNA sample could pop up in some RIAA lawsuit years down the track.

Don't give me any of that "oh we'll just use it for logging in purposes" either!

Mmm.... tactile....

[john-da-luthrun]

I dread to think what the "tactile" password for a pr0n site would be like...

Re:Mmm.... tactile....

[einnar2000]

There will be a whole new industry formed..

A tactile mouse shaped like.. you guessed it.. a breast.

Re:Mmm.... tactile....

[SnotBob]

yeah but it's the BDSM sites that would scare me.

Easier solution

[3Suns]

I've always made sure that my passwords contain a string of easily-typable letters consisting primarily of alternating-hand homerow keys, to complement the numbers, punctuation, and capitalization elsewhere in the password. Since you can tap out those letters so quickly without moving your hands around dramatically, it makes it much more difficult for anyone to eyeball your password.

I've seen countless stories about dedicated password-entry hardware, but none of them (with the minor example of insecure fingerprint scanners) have made an impression. Purpose-dedicated hardware rarely does.

Re:Easier solution

[frenchbedroom]

You sir are correct, this is the way to go when creating a password.

Me, I have yet another layer of protection : my keyboard is labelled in standard French Azerty, but I use a french Dvorak layout (I have no need to change the labels since Dvorak layouts are designed for touchtyping).

It's very funny when the co-workers try typing stuff with my keyboard :) For example, this is "Hello, World!" typed as if my keyboard was Azerty :

Cpnnlq Àloniw

(funnily enough, that's also "Hello, World" in Gaelic. Ba-da, dum.)

Memory.

[dohzer]

Won't these types of access codes be even harder to remember?
Imagine these at a job where you're forced to change codes regularly.

Re:Memory.

[pyhack]

Agreed. And how many passwords (or even ATM pins) do people typically have? OK, I'd use it for entry to my secret underground lair - but YouTube, Google, Amazon, Travelocity, Ticketmaster, etc will have to stick with qwerty/numpad for now.

Oh, I shouldn't said that!

And the time wasted ?

[aix+tom]

> On average, the volunteers took 38 seconds to log on

So now I need about 4 to 5 seconds to log on. (Just tested it)

Considering that the system needs a special mouse and a special login interface, too, why not get a mouse with a finger print reader and use that login interface?

I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

Re:And the time wasted ?

[SanityInAnarchy]

I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

Won't work. The whole point, I think, is that the grid changes, but the code stays the same. Therefore, you can only tell where the "key" is by touching it. This is also why it's immune to shoulder surfing.

Fingerprint

[maxrate]

I'd say a lot of office users use the same password all over the place (although they shouldn't). IBM's finger print reader on the notebooks gets rid of the shoulder surfing password issue to some degree. This helps reduce casual password 'lifting' I'm sure. Does the fingerprint reader count as a tactile interface?

Image from the site

http://www.virtouch2.com/images/Playing_Space_War. jpg

Is it me, or does that guy's shirt say "LOL Bear"?

Re:Image from the site

[kni52]

acording to the article, that is a "young lady". LOL BEAR would make a great shirt though.

Re:The wrong approach

[TheVelvetFlamebait]

I like the point. Hate you, but like the point.

Parent is so self confident...

[hkmwbz]

...he decided to show off how cool and tough he was by posting anonymously at Slashdot!

Re:The wrong approach

[SynTruth]

...sure they can. I used to be very shy and withdrawn back in the late 80's and early 90's. Once I got online, got social on USENET, IRC, and such, it helped me develop -how- to be social offline as well. Doesn't replace true meatspace social aspects, but at least for me, computers -did- help me be assertive and have confidence in my interactions.

Got rhythm?

[bromoseltzer]

As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.

Re:Got rhythm?

[smithmc]

  As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.

But then every Rush fan in the world would have the same password: -.-- -.-- --..

Re:Got rhythm?

[Banzai042]

Bettern than just having YYZ as a pw

Typical IT response: blame the user.

[jotaeleemeese]

We praise ourselves of being very fluffy clever, nevertheless we haven't squared a simple solution to the authentication problem.

Or maybe there are no simple solutions, but people that are not familiar or comforatable with IT should not be denigrated for solutions that are clearly inadequate, difficult, or both.

Re:Typical IT response: blame the user.

[tygerstripes]

I'm more of a user than a professional, and it still galls me what the IT support guys have to put up with (and what we have to put up with from them, but that's a different issue). The policy on passwords is clear: we're told how and why to keep our passwords secure and difficult to guess, and it's pretty much common sense anyway. It's easy to bleat that "fools will be fools", but that doesn't mean they don't deserve berating for their own stupidity. They're the first to moo when things go south, and they won't entertain the thought that it might be their own fault.

It's not a car manufacturer's responsibility to ensure that drivers obey basic safety rules on the road. They can put in airbags, ABS, intelligent wipers, whatever they want to make the user safer - but if a user drives into a tree, they drive into a tree. Metaphorically. So it is with account safety. The rules are there, everyone knows them, but when people get complacent there's nothing you can do. *pant pant*

why are we still using one/two factor authenticati

[Arimus]

Why not make authentication systems three factor: something you have - the card, something you know - the pin, and what you are - biometric -finger print. With the false +ve/-ve rates you can't rely on finger print readers alone but combined with the other two factors you can make a secure system which even if I give you my pin is no use.

Make sure though the fingerprint key is not stored on the card ;).

Too easy

[DeadCatX2]

Mock-slutty half-drunk teen girls singing Britney Spear's Do Somethin'

Okay, I dunno if they're half drunk, but they are two mock-slutty girls singing a Britney song.

What do you expect? I just did a youtube search for britney lip sync. You'd be surprised how many guys lip sync to Britney Spears; I had to scroll down pretty far.

Re:The wrong approach

Hey Dude. Back off!

See. It can be done on Slashdot too :P

Re:special tactile mouse needed .. Blind people

[yvedb]

Don't forget the blind people. They must be able to sense the '5' key. It's a requirement when designing a payment terminal.

Quick & easy passwords

[B5_geek]

Type this in a term: *
ps -A |md5sum

This will ALWAYS give you a different result, and it is not reproducable/predictable.

*Windows users need not apply

Now, to 'remember' is a different story. I'll let you figure out your own method.

Onscreen keyboards have already been defeated....

[merreborn]

...by malware.

http://www.boingboing.net/2006/09/18/onscreen_bank site_ke.html

"The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.

The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when using the virtual keyboard, so that he gets the username and password without going into further trouble."

Sure, last gen keyloggers wont capture passwords entered via this interface, but the current gen sure will.

password will be too long

[harlows_monkeys]

Interesting idea, but as implemented, you'd need a password that is rather long. For each tacton, you are choosing 1 of 9. That's 3.17 bits. You'll need a pretty long sequence to get decent password strength out of that.

When memorizing a password, I think length is more important than the number of possible symbols at each position, when it comes to difficulty of memorizing. Memorizing 10 decimal digits is easier than memorizing 32 bits, for example.

Conversation stops shoulder surfing

[obtuse]

I used to support Point of Sale systems at a local sporting goods chain, and often would be at the store working with the manager hanging around learning what they could (always appreciated.) I had a great boss, and she gave me a graceful technique for avoiding shoulder surfing in that situation. You have to be able to touch type your passwords.

Talk to the person, and look them in the eye while you type your password.

Not gonna work for all situations (ATM Pin) but incredibly effective where there is only one person who really presents a risk, and really, how often are you working in a crowd?

OK, Classrooms just suck, so you have to rely on flying fingers sometimes, but I did find it to be useful when "that kid" was hanging around the same way. "That kid" could be a proto-geek, or a hacker wannabe, but I always did what I could to educate and make conversation. Hey, you're interested? Cool! Kids (even teens) respond really well to being treated like people. And, the conversation made it easy to type my password without _him_ seeing it. No need to tempt 'em.

Optimus Keyboard

[not-admin]

http://www.artlebedev.com/everything/optimus/
Might be perfect for such a situation, with a firefox extension to change the keys.

Shield

[MobyDisk]

Can't somebody just make a pane that is transparent to someone standing on front of the keyboard, but not visible to anyone outside of a very small viewing angle? For example: a thick mesh it visible only from straight-on. From other angles you see the sides of the mesh.

My solution...

[east+coast]

We need laser beams that can find prying eyes and burn them out of the owners skull. That would put a stop to it.

BTW: If anyone finds such a technology let me know. I need this for what I'm surfing slashdot at work too.

Wall

[SanityInAnarchy]

What you describe has been done, but why not just rely on touch-typing and make it impossible for ANYONE to see the keyboard?

Does that mean

I can use my erect penis for a tactile password? My pecker tracks will type out: LET ME IN.