Tactile Passwords vs Shoulder Surfing

holy_calamity writes "Entering passwords using a tactile interface would remove two of the main vulnerabilities of using keyboards and alphanumeric passwords say UK researchers. They're using sequences of tactile icons on a VTPlayer tactile mouse instead. Shapes are displayed using the 16-pin tactile displays under the user's fore and middle fingers. As well as being almost impossible for anyone else to observe, tactile passwords can't be guessable in the same way as many conventional ones, they say. A video shows it all in action." Not that the video really helps explain it very well.

special tactile mouse needed ..

[rs232]

You don't need any special tactile mouse. The same could be achieved using a clickable image map showing a keypad with the numbers in random locations. You get a different map each time you enter the site. So keyloggers wouldn't be of any use.

Re:special tactile mouse needed ..

[ConceptJunkie]

I worked for a company, now part of Honeywell, that made access control keypads that work exactly how you describe. It was a really good product, but for the life of me, I can't remember the name of it.

Re:special tactile mouse needed ..

[Peyna]

The federal building I work in has these keypads on every secure door within the building. (Exterior doors have manned guards and RF card access for employees).

Another nice feature is that the numbers that are randomly displayed in different places are only visible when viewed straight on; so the guy standing next to you might see where your fingers go, but he won't see what number was displayed on that key at that time.

Easier solution

[3Suns]

I've always made sure that my passwords contain a string of easily-typable letters consisting primarily of alternating-hand homerow keys, to complement the numbers, punctuation, and capitalization elsewhere in the password. Since you can tap out those letters so quickly without moving your hands around dramatically, it makes it much more difficult for anyone to eyeball your password.

I've seen countless stories about dedicated password-entry hardware, but none of them (with the minor example of insecure fingerprint scanners) have made an impression. Purpose-dedicated hardware rarely does.

And the time wasted ?

[aix+tom]

> On average, the volunteers took 38 seconds to log on

So now I need about 4 to 5 seconds to log on. (Just tested it)

Considering that the system needs a special mouse and a special login interface, too, why not get a mouse with a finger print reader and use that login interface?

I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

Conversation stops shoulder surfing

[obtuse]

I used to support Point of Sale systems at a local sporting goods chain, and often would be at the store working with the manager hanging around learning what they could (always appreciated.) I had a great boss, and she gave me a graceful technique for avoiding shoulder surfing in that situation. You have to be able to touch type your passwords.

Talk to the person, and look them in the eye while you type your password.

Not gonna work for all situations (ATM Pin) but incredibly effective where there is only one person who really presents a risk, and really, how often are you working in a crowd?

OK, Classrooms just suck, so you have to rely on flying fingers sometimes, but I did find it to be useful when "that kid" was hanging around the same way. "That kid" could be a proto-geek, or a hacker wannabe, but I always did what I could to educate and make conversation. Hey, you're interested? Cool! Kids (even teens) respond really well to being treated like people. And, the conversation made it easy to type my password without _him_ seeing it. No need to tempt 'em.