Tactile Passwords vs Shoulder Surfing

← Back to Stories (view on slashdot.org)

Tactile Passwords vs Shoulder Surfing

Posted by ryuzaki0 on Monday October 9, 2006 @12:28AM from the does-that-eve-nwork dept.

holy_calamity writes "Entering passwords using a tactile interface would remove two of the main vulnerabilities of using keyboards and alphanumeric passwords say UK researchers. They're using sequences of tactile icons on a VTPlayer tactile mouse instead. Shapes are displayed using the 16-pin tactile displays under the user's fore and middle fingers. As well as being almost impossible for anyone else to observe, tactile passwords can't be guessable in the same way as many conventional ones, they say. A video shows it all in action." Not that the video really helps explain it very well.

22 of 115 comments (clear)

Min score:

Reason:

Sort:

special tactile mouse needed .. by rs232 · 2006-10-09 00:34 · Score: 3, Interesting

You don't need any special tactile mouse. The same could be achieved using a clickable image map showing a keypad with the numbers in random locations. You get a different map each time you enter the site. So keyloggers wouldn't be of any use.

--
davecb5620@gmail.com
1. Re:special tactile mouse needed .. by The+Evil+Couch · 2006-10-09 00:36 · Score: 3, Insightful
  
  However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry.
  
  --
  The World's Worst Webcomic!
2. Re:special tactile mouse needed .. by rs232 · 2006-10-09 00:51 · Score: 2, Insightful
  
  "However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry."
  
  Actual pin is 1234
  
  Standard keypad layout ..
  
  789
  456
  123
  
  The screen shows ..
  
  251
  369
  847
  
  You click on 8473. The next time round it's a different keypad layout.
  
  --
  davecb5620@gmail.com
3. Re:special tactile mouse needed .. by sxpert · 2006-10-09 01:11 · Score: 2, Insightful
  
  that pretty dumbass comment doesn't take into account that some people are blind, thus can't see the pretty pictures on the stupid screen
4. Re:special tactile mouse needed .. by ConceptJunkie · 2006-10-09 01:19 · Score: 2, Interesting
  
  I worked for a company, now part of Honeywell, that made access control keypads that work exactly how you describe. It was a really good product, but for the life of me, I can't remember the name of it.
  
  --
  You are in a maze of twisty little passages, all alike.
5. Re:special tactile mouse needed .. by whyloginwhysubscribe · 2006-10-09 01:22 · Score: 2, Insightful
  
  Like an Optimus Keyboard?
  I can't help but think that it would take too long to find each individual key. I suppose they could just display the numbers that are in your PIN and perhaps put them in the correct order so that it would be easier to find them.
  Why dont they ask for just 2 or 3 numbers from your PIN, like the way they do on online banking systems? Works well for me...
6. Re:special tactile mouse needed .. by Mr.+Mindless · 2006-10-09 01:23 · Score: 2, Funny
  
  using it on Automatic Teller Machine machines?
  
  good god it's brilliant!
  
  they could be connected via Network Interface Card cards!
  
  --
  - MM
7. Re:special tactile mouse needed .. by Peyna · 2006-10-09 02:50 · Score: 2, Interesting
  
  The federal building I work in has these keypads on every secure door within the building. (Exterior doors have manned guards and RF card access for employees).
  
  Another nice feature is that the numbers that are randomly displayed in different places are only visible when viewed straight on; so the guy standing next to you might see where your fingers go, but he won't see what number was displayed on that key at that time.
  
  --
  What?
How could the video explain it? by badfish99 · 2006-10-09 00:37 · Score: 5, Funny

No wonder that the video does not help to explain it very well. TFA says "it is almost impossible for anyone else to observe"
Er... by tygerstripes · 2006-10-09 00:47 · Score: 2, Insightful

Well... it is an interesting concept, and I like how they've made it work. Thing is, the problem is never the system, but the people using it. Shoulder-surfing shoudl be nigh-on impossible when the user touch-types at anything approaching a decent speed - it's the two-finger-jabbers who make it easy. The passwords themselves are only easy to guess because people are total gimps.
Cool though this tech is, there is nothing so clever that fools can't render it worthless.

--
Meta will eat itself
Shoulder surfing? by AnimeDTA · 2006-10-09 00:50 · Score: 4, Funny

Being bored at work, I took up using the Dvorak keyboard layout. My passwords however retain the same unconcious keyboard patterns as they did on a standard keyboard. Without even thinking of what my password is I can type it. For a while I didn't even know my own passwords were... this proved to be a problem when i had to check email and wasn't at my computer. But it definately ends the shoulder surfing for passwords.

I ended up typing my passwords a few times in notepad and memorized the gibberish that is my password now. Other than that I'd have to be trying to know what my fingers are pressing when i go into password mode.
1. Re:Shoulder surfing? by 140Mandak262Jamuna · 2006-10-09 01:16 · Score: 2, Insightful
  
  What you just have one password? One password for all your accounts? The same password for the accounts in your work, for your accounts with your bank and brokerage account, and for the web mail and for the rarely visited "registration required" sites? That is insane.
  My personal password policy: I have four kinds of passwords. The highest and most secure ones are for the work accounts and my financial institutions. The next ones are for the web merchants who know my mailing address and credit card numbers. The third kind is the one where there is no money involved and thus not attractive to hackers like my webmail or slashdot. The fourth one is for home network, the router, the dsl PPPoE account, home machines administrator passwords.
  No two account I have use exactly the same password. Even if a bent sys admin snags my password, he/she cant damage anything more than account.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Re:Impossible? by twistedsymphony · 2006-10-09 01:06 · Score: 2, Funny

Yeah but can Superman properly identify a Kitten?

--
Collector's Edition
My Solution by thorkyl · 2006-10-09 01:29 · Score: 3, Funny

Let's just put small DNA testers on each PC.

Then all you have to do is stick something in the hole to donate a blood sample.

--
Stupid people breeding has lead us to the current government

--
-- I am the NRA, enough said...
Mmm.... tactile.... by john-da-luthrun · 2006-10-09 01:34 · Score: 2, Funny

I dread to think what the "tactile" password for a pr0n site would be like...
Easier solution by 3Suns · 2006-10-09 01:38 · Score: 3, Interesting

I've always made sure that my passwords contain a string of easily-typable letters consisting primarily of alternating-hand homerow keys, to complement the numbers, punctuation, and capitalization elsewhere in the password. Since you can tap out those letters so quickly without moving your hands around dramatically, it makes it much more difficult for anyone to eyeball your password.

I've seen countless stories about dedicated password-entry hardware, but none of them (with the minor example of insecure fingerprint scanners) have made an impression. Purpose-dedicated hardware rarely does.

--

-3Suns

~~~~
The Revolution will be Slashdotted
1. Re:Easier solution by frenchbedroom · 2006-10-09 02:43 · Score: 2, Funny
  
  You sir are correct, this is the way to go when creating a password.
  
  Me, I have yet another layer of protection : my keyboard is labelled in standard French Azerty, but I use a french Dvorak layout (I have no need to change the labels since Dvorak layouts are designed for touchtyping).
  
  It's very funny when the co-workers try typing stuff with my keyboard :) For example, this is "Hello, World!" typed as if my keyboard was Azerty :
  Cpnnlq Àloniw
  (funnily enough, that's also "Hello, World" in Gaelic. Ba-da, dum.)
And the time wasted ? by aix+tom · 2006-10-09 01:46 · Score: 2, Interesting

> On average, the volunteers took 38 seconds to log on

So now I need about 4 to 5 seconds to log on. (Just tested it)

Considering that the system needs a special mouse and a special login interface, too, why not get a mouse with a finger print reader and use that login interface?

I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.
Re:Conflict by mxolisi06 · 2006-10-09 01:46 · Score: 2, Insightful

I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.
In actual situations, as the name "tactile" suggests, the user's fingers will lay on the pads, so nothing will be observable.

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help. It won't help to protect you from your competitor or a black hat hacker who installed spyware on your PC.
It seems to me that this method does protect from keyloggers. First, you'd need a mouselogger, since login isn't done via keyboard. But the thing is you'd need access to the piece of memory that maps the 9 squares to different tactile patterns, because the mapping changes each time. In short, you'd need root access to the machine, and then you don't need to guess the password anymore...
Got rhythm? by bromoseltzer · 2006-10-09 02:09 · Score: 3, Funny

As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.

--
Fiat Lux.
Re:Impossible? by durnurd · 2006-10-09 02:49 · Score: 3, Insightful

If you've got Superman trying to steal your password, I think you've got bigger problems than an insecure password.

--
--Edward Dassmesser
Conversation stops shoulder surfing by obtuse · 2006-10-09 04:31 · Score: 2, Interesting

I used to support Point of Sale systems at a local sporting goods chain, and often would be at the store working with the manager hanging around learning what they could (always appreciated.) I had a great boss, and she gave me a graceful technique for avoiding shoulder surfing in that situation. You have to be able to touch type your passwords.

Talk to the person, and look them in the eye while you type your password.

Not gonna work for all situations (ATM Pin) but incredibly effective where there is only one person who really presents a risk, and really, how often are you working in a crowd?

OK, Classrooms just suck, so you have to rely on flying fingers sometimes, but I did find it to be useful when "that kid" was hanging around the same way. "That kid" could be a proto-geek, or a hacker wannabe, but I always did what I could to educate and make conversation. Hey, you're interested? Cool! Kids (even teens) respond really well to being treated like people. And, the conversation made it easy to type my password without _him_ seeing it. No need to tempt 'em.

--
Assembly is the reverse of disassembly.