Slashdot Mirror
Verifying Passwords By the Way They're Typed
Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.
Yeah, this will work when you're drunk. Or just woken up. Or when your hands just feel different.
put an interesting article behind a paywall, collect the kickbacks
If there is no God then free will is an illusion.
How would such a system know if I am typing on my normal keyboard vs. using an on-screen one on a tablet vs. using a coworkers "ergonomic" keyboard vs. being interrupted in the middle of typing my password by my kids?
Don't blame me, I voted for Kodos
We tested this out a year or two ago, even after repeated 'learning' processes the software still required the user to answer security questions because they failed to match the last learned sequence. The only people that thought it worked well were the people that had done the learning procedure but the validation wasn't turned on for their account.
I had an account at a bank that did something like this.
It sure was great fun having to type in my password 3 times because it didn't like the way I typed it.
And forget about trying to log-in from a mobile device.
(and before you tell me to switch banks, they do have other advantages that make it worth it. Just online-access is a pain-in-the-ass.)
The libertarian solution to the failures of capitalism is to apply more capitalism til the failures are fixed.
My credit union already does this. Keeps me from copy-n-paste my password. I actually have to type it.
From the credit union:
"The safety and security of your private information is our highest priority. That's why we're always looking for innovative ways to strengthen the security of your Online Banking experience. Recently, we’ve added a new layer of Online Banking security. This new feature uses a combination of your username, password and biometrics to verify your identity.
By definition, biometrics is the measurement of physical characteristics to verify your identity. Essentially, this new feature measures the rhythm at which you type your password to verify your identity. It does not keep track of your actual password, it simply recognizes the rhythm in which you type it. Since each person has a unique typing rhythm, this feature provides you an additional layer of security. "
If your wife tries to log in, or if you break your finger playing football, you're screwed. Why can't we just implement some real security without gimmicks.
Because that's how i enter mine most of the time.
Whats with all the re-inventions as of late?
These kinds of programs already existing back in the DOS days. They not only picked up the password itself but also the timing which it took to type it in, thus making it somewhat 'personalized'.
Slow typists couldn't match the password of the faster ones and so on.
Note that the actual paper appears to be behind some crappy paywall
Then don't post it until you find a reference w/o a paywall. Period.
Of course there aren't any passwords are totally secure, if you want totally secure passwords you have to take out the human element all together.
I remember this topic coming up on /. about eight years ago or so... it's a nifty idea; but it'll go nowhere.
Can't find the link right now as search seems busted, actually, /. seems off today.
put the what in the where?
"American University of Beirut, Lebanon"
This is rather confusing to me.
I have heard it called keystroke dynamics, and as others have said it isn't too feasible for just straight-up identify verification. However, you can do a lot of cool things with KD software. Hasn't this concept been around for quite awhile?
IIRC the keyboards of the day did not have precise enough timing for it to be very workable, and there wasnt enough fancy pattern matching software to figure out how to make use of any 'persoanlized' quirks in typing patterns.
plus, if you ever had a bad headache or were slightly intoxicated or tired, it could throw off the whole thing if you 'lock people out' based on weird criteria like that
i think the main difference nowdays is some idiot will try to patent it and sue
neither does any other system created since the 1970s. they all store the passwords as hashes
I don't even know what my passwords are, I copy and paste them out of keypass.
So i guess it would work really well for me!
My password manager types my password the same way every time.
or that splinter in your finger, otherwise you could end up getting locked out of your accounts for a while. This dead-end idea sounds a little like voice recognition: fine 'til you catch a cold.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I can't type the sound of my voice.
Arthritis? Can't log in. Too much caffeine? Can't log in. Too little? Can't...
Koans and fables for the software engineer
you have to type it to the rhythm of 'shave and a haircut...' :-P
I remember hearing a story that this system was used to determine the state of mind for soviet military pilots.
You type a control paragraph of text, and then you have to type the same thing again before each flight. The computer just measures the pattern of how you type, and sinc ethere's substantial amount of text (not just shorter password) I guess it could work.
Of course this was easy to bypass if you just typed initial control text already drunk. :) Just make sure you are drunk for each flight afterwards.
BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.
Michael Crichton (yes, that Michael Crichton) actually wrote an article about this in Creative Computing magazine back in the early 80s. He even included a BASIC program to demonstrate the idea. I believe it was called MouseTrap.
Coder's Stone: The programming language quick ref for iPad
This post should really be read while "It ain't what you do, but the way that you do it" plays in the background. A tune from Bananarama in the 1980s.
The original tune is about, er, something else :-) (insert optional smirk).
Simple way of creating a usable and secure password is by typing short sentences: http://www.baekdal.com/tips/password-security-usability
The paper dates back to 2009. I can't get it through my university library, so the journal is clearly very obscure. A key logger can log this information, and replay the recorded events to precisely mimic the rhythm of the original typing. It's hard to see how you get around this. It might be protective against shoulder-surfing, although I'd take some convincing that you can get the discrimination right without introducing a lot of false alarms, but it won't provide any protection at all against network or malware based logging.
My laptop has a fingerprint scanner. Works well enough that I usually try that first, but it fails enough that I still log in via password relatievely often.
Being a laptop, and I being a total freak, I often use my laptop in... unusual positions. Seriously, I once used it, standing on my head (leaning against a wall), holding it with one hand and typing with another. Good way to stretch without having to take a break from the Internet.
Anyways, part of that involves logging in, say, one-handed. Or with the laptop tilted at a weird angle relative to my hands. Or typing it in with the bottom of the mouse (using it like a fat ugly stylus). There is absolutely no way I'm going to trust such a system not to lock me out.
Now, I can understand using something like this on something needing absolute security. Not even bank-account level of security - I'm talking "Dead Hand activation code"-level paranoia here. An extra level of security might be useful there. But I would never use this on any computer I would have access to.
However, I do think there might be another place for these: game consoles. Unless you can use a full QWERTY keyboard on them (IIRC, you can plug a USB keyboard into the PS3, and the XBox has a tiny chiclet keyboard thing), I would prefer passwords be something like "up, up, down, down, left-B, right-A, start, start L+R". Adding some very, very loose analysis of entry timings would make that more secure. I can imagine a system like that working (provided it isn't Sony doing the implementation).
This is old research. I haven't read the article so they might be using a new technique, but computer scientists have been looking at this for years. the success rate is reasonably good if i remember correctly too. I think it its mostly based on time between specific key presses. I would also think this would work better when someone is 'out-of-it' as a result just waking up, or being drunk and your typing is more muscle memory than thinking.
Crappy does not describe this. The price of the paper is 30 Euros! (I didn't buy it, if I had I would be posting as AC) Who is going to pay that kind of money based on the posted abstract?
Oh wow so when the weather is cold I won't be able to log in because of my cold stiff fingers that type at a fraction of the speed, possibly with increased mistakes because the up-down movement comes quicker than the left-right movement? What if I come home drunk and feel the need to post a social networking message that I'll read the next morning in horror? Wait, I guess that won't be a bad thing, increased mistake level will block me out. Winner!
measure how you play a game... if you make smart choices in the game, you are probably to smart to give your credit card to Sony, and therefore are not the actual account holder..
I remember back in those old BBS days where they had DOS Based BBS Software where when somone logged into your BBS You had a near mirror image on what the user was doing. So while they typed their password you saw their password echoed to the Sysop screen at real time. For small BBS's a SysOp knew if the user was just by watching them login. You knew by they way they typed if it was them or not.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Does anyone else make up passwords based on a shape or pattern on a keyboard? I got in that habit years ago, remembering them is more "muscle memory" than anything. Half of the time I couldn't even tell you what the actual letters are but can remember that its a Tree shape or fish shape, etc.
I used to work as an IT monkey for a financial institution. When the hammer came around for dual indentification, rather than going with some bizzarre bingo card, matching puppies together or the vast cost prohibitiveness of handing out one-time pad authenticator keys (See RSA key fobs or Blizzard Authenticators), we instead opted to match based on a form of biometrics.
Mind you this was difficult to tune well. It did exactly what this article describes. It replaced our standard text field login with a heavily obfuscated, compressed and bizarrely constructed flash entity. This flash bit took the login, but it also monitored how you type it. If you hit backspace to correct, it cleared the whole field. Yes, if you use a drastically different keyboard or you are drunk or groggy or whatever, it might trip. We had it collect this "biometric" data for nigh on a year before we turned on the blocks if something didn't match. We specifically turned the tightening up on our own accounts to test how it would react. If it fails, it would do one of two things.
1) If you were vastly out of spec, it would tell you no, and to call customer service.
2) if you were slightly out of spec, it would then have you answer secret questions and possibly trigger an out of channel auth (text message to a cell phone listed on your account, or automated voice spoken number called to your house line). If you get this all correct, you get let in, and new data is added to that accounts data pool for the "biometric" hashes of how you type for that account.
I've since left that place, but the idea was interesting and it seemed to work okay, even if it did then block out mobile checking of the site on non-Flash-Compliant phones (iDevices, Blackberry, etc) and make it more difficult on low powered devices (Android phones and old computers).
I worked for a Biometrics company back in the mid to late 90's and we had begun to implement a system based on this same concept. It was never added to our software however, due to the fact that the more closely you required the new input to match the stored baseline the less useable it became.
If you need an 80% or better match then that person had better be sitting in the same chair at the same desk on the same keyboard that they used when they set their typestyle password. If you need 90% or better then you will pretty consistantly end up locking out the user due to everything from temperature of the room to a person's mood that day.
On the other end of that, the number of false positives exponentialy increase for every percent below 80. So the more useable it is for the employee the less reliable it is for security.
Who is going to pay that kind of money based on the posted abstract?
Malware authors working for organised crime? :)
which is totally what she said
Here's a paper on the same subject from 18 years ago, and that was just the first result I found on google scholar!
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=256563
Obviously, there have been advances since then but this certainly isn't a new idea by any stretch of the imagination.
So what happens when I injure a hand working on the car or something and have to do my keyboarding with only my right or only my left? I can't login?
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
plus, if you ever had a bad headache or were slightly intoxicated or tired, it could throw off the whole thing if you 'lock people out' based on weird criteria like that
The trick is to have a headache, be intoxicated AND tired when the system learns your typing pattern.
...my password manager should fill the buffer at the same rate every time.
Get off my launchpad!
This is old news: It's already been monetized by Gordon Ross's company: http://www.biopassword.com/keystroke_dynamics_advantages.asp - I had a chance to use this system back in 2004 and it was pretty cool. When the system is learning your password initially, you type it a handful of times so that it can average times between keystrokes. You can type "normal" or you can type at an abnormal rhythm. Your choice. Here are some other papers published a long time ago... http://portal.acm.org/citation.cfm?id=581272 (2002) http://portal.acm.org/citation.cfm?id=266434 (1997)
I wrote a simple prototype for this back in the '90s, and submitted a marginally upgraded version as coursework circa 2002. On hindsight it's not a terribly useful system, it defends against shoulder surfing and not much else. My feeling back then was that a scheme such as this would be useful for ATMs, but given the sophisticated camera + card scanner attacks being employed today, I doubt it'd be much use.
node-def: a tactical hacking sim. Now in open beta.
I keep wanting a password input that works off a keycode stream, not a string.
That way your password could include deletions, modifier keys, and other unusual combinations. It sounds less fragile than this approach, although it might be interesting on devices with different keyboard layouts.
I read about this over 10 years ago. It was the same time hand writing recognition was supposed to turn Palms into ultra-secure password verifiers, and someone said "Hey, we can do that with typing too!". It went nowhere. Anyone got a link to the old research?
This also sounds like the old program to allow the NSA to identify anonymous blog writers. But instead of typing patterns, it used words already typed patterns.
But still, this is OLD tech. Nothing new to see, move along.
I8-D
I reviewed a company's offering a few years ago that was recording the relative timing between keystrokes when you entered a password. Any subsequent attempts had to match that relative pattern in order to be verified.
It failed miserably.
I had a demo with the company. They showed me a nice fake online banking login screen. They then told me the name and password and said "Go ahead and try to login." I did so. And it let me right in. The woman giving the demo couldn't believe it. I took a screenshot and sent it to her as verification. Sure enough, their system did not stop me from logging in.
So she reset the password to something else, ran through a couple of calibration runs to make sure she could login, and then again gave me the password. I once again logged in immediately.
Once more she changed the password, and again asked me to try it. I couldn't login. So I tried a few more times, and on the third try I was once again staring at fake bank accounts.
I realized two things from this demo. First, its easily breakable by a human with comparable typing skills to the victim when the password is known. Second, the only thing this (particular product) could defeat was an automated system attempting to login. ...I don't think that review ever got published...
Jeremy Baumgartner
I was just thinking about this the other day when I needed to log into a computer at work while I was holding a part I wanted to look up in our system. I heard about password systems using pattern logging a while ago and thought it would be ridiculous in the real world. On a similar note, I had an uncle that retired from a workplace that had fingerprint, voiceprint, and a weight scanner to get into work. He said if you had a cold or gained or lost more than 5 pounds you had to be escorted to the security office and have your identity verified before they would let you in. Some security measures are just too odd. (A scale? WTF?)
Seriously? ... Let me be the first to welcome you to the world of academic journals.
I remember reading a story about this back around the time I first created my slashdot account some 13+ years ago. I remember people saying it was a nice idea but in practice it was unworkable for various obvious reasons including hand injuries, differing keyboards, and environmental distractions.
You're nothing; like me.
Not true - Sony hashed the passwords; but never let facts get in the way of an anti-Sony zealot, right?
This is old enough that there are established commercial vendors doing it. Just goes to show you - obscure universities in 3rd world countries only do - at best - derivative work.
Here's an example company that's been selling this sort of solution commercially for years:
http://www.biopassword.com/
I'd like to see a full copy of the paper to see how it improves on this work:
"Authentication via Keystroke Dynamics" (1997)
by
Fabian Monrose
and
Aviel Rubin
My strongest password is 30 characters with all the bells and whistles (i.e. upper, lower, special, number, letter, virtually random, not written down anywhere, no hints or alternate methods for recovery -- at least not without knowing the password). How difficult would it be to "brute force" hack this (i.e. without using a key logger or working around it)? What about with the fastest computers available to human kind? Is it something I can keep in good confidence without changing for years or should I change it every couple of months, as with weaker passwords? I don't NEED to know this necessarily, as the password is probably unnecessary for what I have worth protecting, which is basically a gmail account that fills up with travelocity, viagra, and penis enlargement ads (no comments about what this must say of my browsing history please -- I'm just a curious person, what can I say, and besides, it's private alright!). Just wondering. Thanks.
My voice is my passport. Verify Me
... as most of them are made when I'm drunk...
That is all.
I read about this years ago. How is this news? It's a cool idea that I find works well in some situations, but you wouldn't want to use it everywhere. I do think it is a cool technology though.
AJ Henderson
Episode 9 of 'Welcome to Paradox' (http://en.wikipedia.org/wiki/List_of_Welcome_to_Paradox_episodes) is based upon a story by David Ira Cleary, "All Our Sins Forgotten".
In the written story, a mistake in details of a password entry causes the breakdown of the main character's lifestyle, with tragic results.
Dave published that in 1989 (http://www.locusmag.com/index/s146.htm) - I think that counts as prior art...
I talked to someone in the 80's who said that he bought a program and the patent for this type of technology from grad students at Stanford University. This is not new.
This gives "forgot password" a whole new meaning. "Oops, now which password did I use for this site again? And with what rhythm did I type it?"
You claim that a system using this type of authentication should not grant access via mobile device. However, people using mobile devices still demand access to services that the system provides. Should one solve the problem by creating a separate system for mobile devices that provides the same functionality as the main system? If so, what kind of authentication should such a system use?
It is not uncommon--particularly in the developing world--to label universities with credibility building notions such as "American." They typically have a structure resembling an "American/Western" college
Then "American Style University of Beirut" would be more honest. In fact, given what I've read about the rise of "protected designations of origin", this naming practice might even become illegal in some parts of the world, just as only one region's sparkling wine can be called CHAMPAGNE® in the EU.
Since none of you can ever take the time to even read the summary article -> they realize the limitations with the original KPA (key pattern analysis, so they are trying to IMPROVE on it by adding thing such as time each key stays depressed and a group pattern so that in cases of multiple people using the login, it will work. I have no idea if their approach will work but at least they're trying; and I don't believe that they think their method can be used all the time.
18 years ago, I wrote a DOS-based keyboard lock intercept that used keydown/keyup in addition to keypress. Current password schemes use the sequence of keypresses only. Mine captured when a key was depressed and when it was released, such that you could have a passcode consisting of:
Depress H
Depress E
Release E
Depress L
Release H
Release L
Depress L
Depress O
Release L
Release O
This sequence spells out the word HELLO, but is somewhat more secure than HELLO at the console as it also requires the press/release to be in the correct order. This was back in the days and in an environment where shoulder surfing a password was a bigger concern than over-the-wire interception.
Ultimately, regardless of what information goes into the passcode, the bottom line is that we're still thinking in terms of the user supplying some sort of secret identifier (we'll call it a passcode) known only to them, and the system storing it in some manner and validating against it for future authentication attempts. If this passcode is a short sequence of characters ('password'), a long sequence ('passphrase'), a sequence containing additional information ('enhanced passcode'), or a series of challenge/response pairs ('passcodes') all we're doing is making the passcodes more complex. We're not making the method of authentication more reliable.
So right now we're stuck with trying to secure the means of storing and transmitting that information. We don't store passwords in plain text anymore. We don't use reversible encryption anymore. Now we encrypt the means of transmission. The means of transmission is crackable. Hash codes are crackable. So we keep working to make them stronger, but it's the same arms race all over again.
And now I have to run to a meeting. :(
http://channel9.msdn.com/Blogs/TheChannel9Team/Kevin-Schofield-Tour-of-Microsoft-Research-Part-II-machine-learning
http://research.microsoft.com/en-us/um/people/horvitz/interrupt.htm - this is his stuff about email/IM interruptions
for example this one http://research.microsoft.com/en-us/um/people/horvitz/learninterrupt.htm
I have only really watched the video myself, it's an interesting idea - using webcam, microphone and your calendar, try to estimate how much is your time worth (in dollars) at any particular point of time. I guess the guy was so annoyed with IM that he decided to dedicate his research to it :)
I gave up thinking about this a couple of years ago, mostly because the keyboards we use do not capture the velocity with which each key is pushed. heavy-handed vs limp wristed and so on. biometrics kind of trump this research. fingerprint readers are showing up on more and more laptops for just this reason. And then, different keyboards perform differently, the flat keys on a laptop being totally different from any ps/2 or usb keyboard, then there are touchscreen keyboards, the rubber ones that you can roll up and put in your pocket...
In other words, too many uncontrollable environmental factors get in the way of this idea being useful.
of course, currently the only thing a figerprint scanner does is confirm the identity of the user so the computer knows it is ok to pass on the login/password credentials that are stored on your computer.
and the other potentially useful personally identifiable characteristic:
the amount of time between the final keystroke of a password and pressing the enter key to send it. Is that subconscious pause to think about whether your password was typed in correctly enough to identify you as you.
You're all assuming that the only way to use this is as a standalone authentication factor.
Rather than using this for as a standalone, it would be great for conducting an audit. Keep a history of how someone types their password, and then if an account is compromised, you can nail down precisely when because the typing pattern will have changed.
And if you build a profile of the person and detect a number of sudden changes, you can avoid false positives. Not to mention the fact that credit card companies have learned how to handle this stuff: if you detect a number of changes, you call the person, proactively, to verify their identity.
Guys, this as others have already asserted, is very old tech. It goes back to days of Morse code use in the military. Morse operators could authenticate another sender's identitiy (or whether he was sending his message under duress and potentially compromised) by what was called his "fist", or the rhythm of the transmission. Notably, Imprivata made an effort a couple of years ago to monetize this approach, but it is as many have pointed out fraught with multiple issues depending on how you enter and/or manage your passwords.
Can I bum a sig? I left mine at the office.
This specific idea was written up in an academic paper more than a decade ago http://www.veniceconsulting.com/docs/ryan.intrusion.pdf.
Every rule has more than one consequence.
I remember seeing a demo of such a system in a trade show back the 1980s. The password was written on a piece of cardboard and placed prominently by the PC, and visitors were encouraged to try to enter it successfully. None could, even when we mimicked the typing speed and characteristics of the guy who was giving the demo.
This would be awesome if they could get it perfect, but it's impossible. There are too many variables that would change the pattern and it would just get annoying. Sure, you could eventually get it right, but users would just get fed up and would rather just use a longer more cryptic password than deal with starting over each time.
It's probably already patented.
Already patents out for some years on this topic as well as commercial products. Nothing new, at least not as long as the document on what they did is not freely available. Hiding some information does not make it better.
In any case it will be better than "just a PW". All the attacks for which this new system is vulnerable also hold for the usual username/password systems. But as you say, it will protect against some attacks like shouldersurfing. But as long as we have no details, we cannot comment on it.
I am an IT guy and tested a similar product. They claimed we could "eliminate changing passwords" by using their "how it is typed" software. They set us up a test page, signed in many times a day until I had "trained" it to my way of typing my password (something like 100 times). I then sent my account information to my coworkers and invited them to attempt to login to my account. Within ten minutes of sending the challenge Email I had a screen shot of my compromised account. Needless to say the sales guy didn't make a sale.
Viewing keyboard dynamics as a password verification is a limited view of this idea.
keyboard dynamics can be used to continuously verify all entry fields
and, used correctly, is another layer in a multi-layered authentication approach.
Looking at behaviour is not new. Credit card companies looking for strange usage to determine risk is common place. This manifests itself with cards being blocked when used in strange locations for odd purchases.
Using this technology to determine risk is the same approach applied to the Internet.
They also consider IP address, OS/browser/java versions, time of day, transaction profile, amounts etc. all mixed together in a risk score then the keyboard dynamics are just one pillar of behaviour.
The technology also has applications in detecting human access vs. automated (bots), detecting multiple account registrations, and in forensics where transactions determined to be fraudulent can be examining not for not being the correct user but who that user is likely to be.
There are a number of commercial implementations...
behaviosec.com, keytrac.de, biopassword all implement this full spectrum more than user&passwords.
There is an academic paper publically availibe on
Identity Theft Computers and Behavioral Biometrics
http://www.docstoc.com/docs/34869436/Identity-Theft-Computers-and-Behavioral-Biometrics