Slashdot Mirror
Verifying Passwords By the Way They're Typed
Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.
How would such a system know if I am typing on my normal keyboard vs. using an on-screen one on a tablet vs. using a coworkers "ergonomic" keyboard vs. being interrupted in the middle of typing my password by my kids?
Don't blame me, I voted for Kodos
We tested this out a year or two ago, even after repeated 'learning' processes the software still required the user to answer security questions because they failed to match the last learned sequence. The only people that thought it worked well were the people that had done the learning procedure but the validation wasn't turned on for their account.
I had an account at a bank that did something like this.
It sure was great fun having to type in my password 3 times because it didn't like the way I typed it.
And forget about trying to log-in from a mobile device.
(and before you tell me to switch banks, they do have other advantages that make it worth it. Just online-access is a pain-in-the-ass.)
The libertarian solution to the failures of capitalism is to apply more capitalism til the failures are fixed.
If your wife tries to log in, or if you break your finger playing football, you're screwed. Why can't we just implement some real security without gimmicks.
Note that the actual paper appears to be behind some crappy paywall
Then don't post it until you find a reference w/o a paywall. Period.
I remember this topic coming up on /. about eight years ago or so... it's a nifty idea; but it'll go nowhere.
Can't find the link right now as search seems busted, actually, /. seems off today.
put the what in the where?
"American University of Beirut, Lebanon"
This is rather confusing to me.
IIRC the keyboards of the day did not have precise enough timing for it to be very workable, and there wasnt enough fancy pattern matching software to figure out how to make use of any 'persoanlized' quirks in typing patterns.
plus, if you ever had a bad headache or were slightly intoxicated or tired, it could throw off the whole thing if you 'lock people out' based on weird criteria like that
i think the main difference nowdays is some idiot will try to patent it and sue
Are you saying I need to teach my dog to type my password then?
wha'? where am i?
neither does any other system created since the 1970s. they all store the passwords as hashes
I don't even know what my passwords are, I copy and paste them out of keypass.
So i guess it would work really well for me!
My password manager types my password the same way every time.
or that splinter in your finger, otherwise you could end up getting locked out of your accounts for a while. This dead-end idea sounds a little like voice recognition: fine 'til you catch a cold.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I can't type the sound of my voice.
Arthritis? Can't log in. Too much caffeine? Can't log in. Too little? Can't...
Koans and fables for the software engineer
you have to type it to the rhythm of 'shave and a haircut...' :-P
I remember hearing a story that this system was used to determine the state of mind for soviet military pilots.
You type a control paragraph of text, and then you have to type the same thing again before each flight. The computer just measures the pattern of how you type, and sinc ethere's substantial amount of text (not just shorter password) I guess it could work.
Of course this was easy to bypass if you just typed initial control text already drunk. :) Just make sure you are drunk for each flight afterwards.
BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.
Michael Crichton (yes, that Michael Crichton) actually wrote an article about this in Creative Computing magazine back in the early 80s. He even included a BASIC program to demonstrate the idea. I believe it was called MouseTrap.
Coder's Stone: The programming language quick ref for iPad
The paper dates back to 2009. I can't get it through my university library, so the journal is clearly very obscure. A key logger can log this information, and replay the recorded events to precisely mimic the rhythm of the original typing. It's hard to see how you get around this. It might be protective against shoulder-surfing, although I'd take some convincing that you can get the discrimination right without introducing a lot of false alarms, but it won't provide any protection at all against network or malware based logging.
My laptop has a fingerprint scanner. Works well enough that I usually try that first, but it fails enough that I still log in via password relatievely often.
Being a laptop, and I being a total freak, I often use my laptop in... unusual positions. Seriously, I once used it, standing on my head (leaning against a wall), holding it with one hand and typing with another. Good way to stretch without having to take a break from the Internet.
Anyways, part of that involves logging in, say, one-handed. Or with the laptop tilted at a weird angle relative to my hands. Or typing it in with the bottom of the mouse (using it like a fat ugly stylus). There is absolutely no way I'm going to trust such a system not to lock me out.
Now, I can understand using something like this on something needing absolute security. Not even bank-account level of security - I'm talking "Dead Hand activation code"-level paranoia here. An extra level of security might be useful there. But I would never use this on any computer I would have access to.
However, I do think there might be another place for these: game consoles. Unless you can use a full QWERTY keyboard on them (IIRC, you can plug a USB keyboard into the PS3, and the XBox has a tiny chiclet keyboard thing), I would prefer passwords be something like "up, up, down, down, left-B, right-A, start, start L+R". Adding some very, very loose analysis of entry timings would make that more secure. I can imagine a system like that working (provided it isn't Sony doing the implementation).
This is old research. I haven't read the article so they might be using a new technique, but computer scientists have been looking at this for years. the success rate is reasonably good if i remember correctly too. I think it its mostly based on time between specific key presses. I would also think this would work better when someone is 'out-of-it' as a result just waking up, or being drunk and your typing is more muscle memory than thinking.
Crappy does not describe this. The price of the paper is 30 Euros! (I didn't buy it, if I had I would be posting as AC) Who is going to pay that kind of money based on the posted abstract?
Oh wow so when the weather is cold I won't be able to log in because of my cold stiff fingers that type at a fraction of the speed, possibly with increased mistakes because the up-down movement comes quicker than the left-right movement? What if I come home drunk and feel the need to post a social networking message that I'll read the next morning in horror? Wait, I guess that won't be a bad thing, increased mistake level will block me out. Winner!
1) Just typing the password is far easier
Not if it's a good strong password and you only use it in one place, which means you have a lot of passwords.
2) If you'd have to copy and paste it, you'd have to have it in a text file
Not necessarily. It could be a salted hash that's regenerated when it's needed.
3) Storing that text file unencrypted would be incredibly stupid
That depends on who has physical access to the text file. Contrary to popular belief, a sticky note pasted to the monitor is actually quite secure against Chinese hackers, though you still have to worry about the cleaning staff because they have physical access.
4) What's the point of encrypting it when you'd have to enter a password to get to it?
At least then your master password still requires physical access to the encrypted file to be useful. Whereas if you use the same password on a bunch of different sites, any one being compromised basically compromises all of them. Is it more likely that your account on a single site be compromised than it is for someone to gain access to the master password file and break the master password on it? I'd say it is.
I remember back in those old BBS days where they had DOS Based BBS Software where when somone logged into your BBS You had a near mirror image on what the user was doing. So while they typed their password you saw their password echoed to the Sysop screen at real time. For small BBS's a SysOp knew if the user was just by watching them login. You knew by they way they typed if it was them or not.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Does anyone else make up passwords based on a shape or pattern on a keyboard? I got in that habit years ago, remembering them is more "muscle memory" than anything. Half of the time I couldn't even tell you what the actual letters are but can remember that its a Tree shape or fish shape, etc.
linuxgeek64 asks:
Why would anyone enter a password with copy and paste?
1) Just typing the password is far easier
2) If you'd have to copy and paste it, you'd have to have it in a text file
3) Storing that text file unencrypted would be incredibly stupid
4) What's the point of encrypting it when you'd have to enter a password to get to it?
There are these things called "Password Safes" which can hold many many MANY passwords... long passwords... secure passwords... passwords to servers or routers that I log into once a year... Password safes keeps the contents encrypted and many work via copy-and-paste... you double-click on the server name, the password safe puts the password in your clipboard and then you move focus to your SSH session to your router...hit control-V and log in
Karma: Excellent. 15 moderator points expire sometime.
Who is going to pay that kind of money based on the posted abstract?
Malware authors working for organised crime? :)
which is totally what she said
Here's a paper on the same subject from 18 years ago, and that was just the first result I found on google scholar!
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=256563
Obviously, there have been advances since then but this certainly isn't a new idea by any stretch of the imagination.
So what happens when I injure a hand working on the car or something and have to do my keyboarding with only my right or only my left? I can't login?
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
So we've gone from slashvertisements to just outright assisting scammers, Taco? Wonder what took you so long...
Caveat Utilitor
...my password manager should fill the buffer at the same rate every time.
Get off my launchpad!
This is old news: It's already been monetized by Gordon Ross's company: http://www.biopassword.com/keystroke_dynamics_advantages.asp - I had a chance to use this system back in 2004 and it was pretty cool. When the system is learning your password initially, you type it a handful of times so that it can average times between keystrokes. You can type "normal" or you can type at an abnormal rhythm. Your choice. Here are some other papers published a long time ago... http://portal.acm.org/citation.cfm?id=581272 (2002) http://portal.acm.org/citation.cfm?id=266434 (1997)
I wrote a simple prototype for this back in the '90s, and submitted a marginally upgraded version as coursework circa 2002. On hindsight it's not a terribly useful system, it defends against shoulder surfing and not much else. My feeling back then was that a scheme such as this would be useful for ATMs, but given the sophisticated camera + card scanner attacks being employed today, I doubt it'd be much use.
node-def: a tactical hacking sim. Now in open beta.
I keep wanting a password input that works off a keycode stream, not a string.
That way your password could include deletions, modifier keys, and other unusual combinations. It sounds less fragile than this approach, although it might be interesting on devices with different keyboard layouts.
I read about this over 10 years ago. It was the same time hand writing recognition was supposed to turn Palms into ultra-secure password verifiers, and someone said "Hey, we can do that with typing too!". It went nowhere. Anyone got a link to the old research?
This also sounds like the old program to allow the NSA to identify anonymous blog writers. But instead of typing patterns, it used words already typed patterns.
But still, this is OLD tech. Nothing new to see, move along.
I8-D
I reviewed a company's offering a few years ago that was recording the relative timing between keystrokes when you entered a password. Any subsequent attempts had to match that relative pattern in order to be verified.
It failed miserably.
I had a demo with the company. They showed me a nice fake online banking login screen. They then told me the name and password and said "Go ahead and try to login." I did so. And it let me right in. The woman giving the demo couldn't believe it. I took a screenshot and sent it to her as verification. Sure enough, their system did not stop me from logging in.
So she reset the password to something else, ran through a couple of calibration runs to make sure she could login, and then again gave me the password. I once again logged in immediately.
Once more she changed the password, and again asked me to try it. I couldn't login. So I tried a few more times, and on the third try I was once again staring at fake bank accounts.
I realized two things from this demo. First, its easily breakable by a human with comparable typing skills to the victim when the password is known. Second, the only thing this (particular product) could defeat was an automated system attempting to login. ...I don't think that review ever got published...
Jeremy Baumgartner
I was just thinking about this the other day when I needed to log into a computer at work while I was holding a part I wanted to look up in our system. I heard about password systems using pattern logging a while ago and thought it would be ridiculous in the real world. On a similar note, I had an uncle that retired from a workplace that had fingerprint, voiceprint, and a weight scanner to get into work. He said if you had a cold or gained or lost more than 5 pounds you had to be escorted to the security office and have your identity verified before they would let you in. Some security measures are just too odd. (A scale? WTF?)
Seriously? ... Let me be the first to welcome you to the world of academic journals.
I remember reading a story about this back around the time I first created my slashdot account some 13+ years ago. I remember people saying it was a nice idea but in practice it was unworkable for various obvious reasons including hand injuries, differing keyboards, and environmental distractions.
You're nothing; like me.
Not true - Sony hashed the passwords; but never let facts get in the way of an anti-Sony zealot, right?
I find it highly unlikely that your "safe" is air-walled in a physically secure location. So... what if someone manages to obtain your safe's password? Your plethora of uber strong passwords is effectively just one password.
These password vaults/safes are nothing but another convenience tool sold to people with poor judgement that are continually finding ways to skirt the protection measures put in place to protect their's and their company's butt from malware and various other forms of security breaches.
Two of my imaginary friends reproduced once
... as most of them are made when I'm drunk...
That is all.
I read about this years ago. How is this news? It's a cool idea that I find works well in some situations, but you wouldn't want to use it everywhere. I do think it is a cool technology though.
AJ Henderson
This gives "forgot password" a whole new meaning. "Oops, now which password did I use for this site again? And with what rhythm did I type it?"
yeah, you're right... better go back to a text file with all passwords in it. because security is binary...all in or all out
you have a lot to learn, bub
Karma: Excellent. 15 moderator points expire sometime.
You claim that a system using this type of authentication should not grant access via mobile device. However, people using mobile devices still demand access to services that the system provides. Should one solve the problem by creating a separate system for mobile devices that provides the same functionality as the main system? If so, what kind of authentication should such a system use?
Look at it this way: we now all have a really good excuse why we didn't RTFA.
RTFA is Known to the State of California to cause cancer.
It is not uncommon--particularly in the developing world--to label universities with credibility building notions such as "American." They typically have a structure resembling an "American/Western" college
Then "American Style University of Beirut" would be more honest. In fact, given what I've read about the rise of "protected designations of origin", this naming practice might even become illegal in some parts of the world, just as only one region's sparkling wine can be called CHAMPAGNE® in the EU.
That's a feature - if it's password protected, you're best off not doing it while intoxicated.
How are sites slashdotted when nobody reads TFAs?
I've never needed an excuse before.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
I don't know about how you would do it, but my password safe requires four bits of authentication:
I have to have physical access to the machine it is on.
I have to know the password to log on to that machine (technically, this can be bypassed with physical access...)
I have to know where the password safe is.
And I have to know my (fairly secure) password, which I do not share with anyone, and does not match any other sites.
There are ways around those, but the truth is that no one cares enough about my secrets to even go so far as finding my password database, let alone reverse engineer its encryption. There are simply too many other, easier targets to go after.
If I needed to add another layer of security, I could always account-bind it and add a file key that I keep somewhere else...
Security can always be breached somehow. The trick isn't to make security perfect, but to make it the right balance between secure and usable (without usability, what point is there to security in the first place?)
RTFA is Known to the State of California to cause cancer.
Password safe programs, or encrypt the contents of the text file with GPG. Which has advantages like being able to send backup copies of site passwords to your webmail, or printing it out and putting it in safe. The main issue is that you have to keep your GPG private key safe, but I'm used to taking precautions with that.
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.12 (MingW32)
hQIMAz00SGeYEuCgARAApEqhL8yaKi4TGy/u+OhpCfeILMDuqJZHiUal3ERSqPpo
GynRpLc8H6bdThJs9Z3p5OLtq2NIKBCRCtAo/vVpgiCvyMqUs/DcH+SfzcL5vSME
aGHzxsjXa7e3zVbFR0ZOAhf7ADHg2MjmdS0U9g8FI9aevGcDv7Rn9XvXmGgXUdyA
qkk1bvEX2trBE2LpEcIXrZjCKQ8HcarNpE77kPluyfQPzKRtomgTJ9TlXgOZ2rRo
ptFbK3HrmpZkjX/gzGBwIC6ZDdJAwvuiGfA00mI8C6reb9Eb69B6tiP//RnFHFg8
9C912U/gCYG9zy3zZU5RN38k5FOh1VNjRUv8D2YDbhmZHGqzeK0TLlly+Mf/5+Gv
eTpuiDij3LwynF/5HtQ3qf0p7H1zYZwp81/OyjyflouLLpTkPug6M5UiJ3kRXYJ6
Dowd35cZb1rvn0ZZxwj4ayNntvSHgEZ2RlJzupE0TT0ZAa1Ec7eoZM2UcIc/hO+y
jBKmZ7vtDqijuo3qs0/OmeyZYr/aG3Tv4+XnW5rSgUf04WRy+T2oIlt9s8KtkRZw
wqak9MOf4gZhGFARkXxC8Itay5i7/wIEfRe/spLCXODQk0tVnlNryd1mRwoXUEoU
wWKvV22vlemn18v60v8hk/gW8tm4/ERDHALsXwRih8lNVqx4AI8OE5kSnyYNYwzS
XQHVk6tz4YXIevvErxNOlDHX1Gc23EgJCRVEt3vACjLYfcCRG+d/p4Jzkdf7qlK6
ZpUG43QcP9rL2BZopsVSDFzVFaX2ihbWAER8cDWRtcjPo0ybdTMYNVI0Cge3Tw==
=KX7+
-----END PGP MESSAGE-----
Wolde you bothe eate your cake, and have your cake?
I have heard it called keystroke dynamics, and as others have said it isn't too feasible for just straight-up identify verification. However, you can do a lot of cool things with KD software. Hasn't this concept been around for quite awhile?
Yup, it has. I worked on a mainframe system back in the early 1970s whose OS provided keystroke timings to apps that wanted the info. The first use was in the login code, which used the character-pair timings to verify the user. It was actually fairly successful, and didn't have the rampant failures that many people here describe. In fact, it pretty quickly made login ids unnecessary, since the "system" could identify each user fairly quickly when they typed anything at all.
There was a funny follow-on gimmick implemented by some guys in the organization (a university computer center): They got access to the schedule of the operators and others who worked there, and wrote a routine that compared the people typing with the schedule. One day, a fellow (call him Joe) called in sick, and another (Bill) took his slot. Soon after Bill started typing (without identifying himself), the computer came back with a comment like "Hey, Bill, you're not Joe. Joe was scheduled now, not you. What happened? Is Joe sick or something?" The staff freaked out, and some of them were afraid to type to the computer until the programmers came in and explained what they'd done.
But most current OS's hide the timing info from user-level software, so it's not surprising that people nowadays would find that the idea doesn't work very well. To work, the code has to have access to fairly precise timing of keyboard events, and that just isn't possible with most current (commercial) computer systems. You'd have to have a Real-Time kernel for it to work at all, and any software layer that munges with the timings would kill the idea entirely.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
... and then you move focus to your SSH session to your router...hit control-V and log in
I call shenanigans! Unless you have very windows-user-friendly SSH software, CTRL+V is not going to help you out too much when trying to paste.
Note to self: Stop putting jokes in my insightful comments so I can get something other than +1 Funny!
18 years ago, I wrote a DOS-based keyboard lock intercept that used keydown/keyup in addition to keypress. Current password schemes use the sequence of keypresses only. Mine captured when a key was depressed and when it was released, such that you could have a passcode consisting of:
Depress H
Depress E
Release E
Depress L
Release H
Release L
Depress L
Depress O
Release L
Release O
This sequence spells out the word HELLO, but is somewhat more secure than HELLO at the console as it also requires the press/release to be in the correct order. This was back in the days and in an environment where shoulder surfing a password was a bigger concern than over-the-wire interception.
Ultimately, regardless of what information goes into the passcode, the bottom line is that we're still thinking in terms of the user supplying some sort of secret identifier (we'll call it a passcode) known only to them, and the system storing it in some manner and validating against it for future authentication attempts. If this passcode is a short sequence of characters ('password'), a long sequence ('passphrase'), a sequence containing additional information ('enhanced passcode'), or a series of challenge/response pairs ('passcodes') all we're doing is making the passcodes more complex. We're not making the method of authentication more reliable.
So right now we're stuck with trying to secure the means of storing and transmitting that information. We don't store passwords in plain text anymore. We don't use reversible encryption anymore. Now we encrypt the means of transmission. The means of transmission is crackable. Hash codes are crackable. So we keep working to make them stronger, but it's the same arms race all over again.
And now I have to run to a meeting. :(
http://channel9.msdn.com/Blogs/TheChannel9Team/Kevin-Schofield-Tour-of-Microsoft-Research-Part-II-machine-learning
http://research.microsoft.com/en-us/um/people/horvitz/interrupt.htm - this is his stuff about email/IM interruptions
for example this one http://research.microsoft.com/en-us/um/people/horvitz/learninterrupt.htm
I have only really watched the video myself, it's an interesting idea - using webcam, microphone and your calendar, try to estimate how much is your time worth (in dollars) at any particular point of time. I guess the guy was so annoyed with IM that he decided to dedicate his research to it :)
I hesitate to refer people to his work since he turned into a raving bigot, but there's a similar plot point in the short story Dogwalker by Orson Scott Card.
Promote proofreading. Don't mod up sloppy posts.
Plus you can have KeePass (one of the password safes) use a password and a key file. The key file is not necessary, but if used can be any file you choose. You could use your wallpaper jpg, or your favorite mp3 file, or some seemingly innocuous ini file burried deep in the folder tree. One extra thing added to the list.
-- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
Or when you break an arm, or sprain a hand, or your arthritis is acting up, or you are eating some food with one hand while typing with the other like I was at lunch at my desk at work today, etc, etc, etc...
This is just a bad idea
Guys, this as others have already asserted, is very old tech. It goes back to days of Morse code use in the military. Morse operators could authenticate another sender's identitiy (or whether he was sending his message under duress and potentially compromised) by what was called his "fist", or the rhythm of the transmission. Notably, Imprivata made an effort a couple of years ago to monetize this approach, but it is as many have pointed out fraught with multiple issues depending on how you enter and/or manage your passwords.
Can I bum a sig? I left mine at the office.
This specific idea was written up in an academic paper more than a decade ago http://www.veniceconsulting.com/docs/ryan.intrusion.pdf.
Every rule has more than one consequence.
I remember seeing a demo of such a system in a trade show back the 1980s. The password was written on a piece of cardboard and placed prominently by the PC, and visitors were encouraged to try to enter it successfully. None could, even when we mimicked the typing speed and characteristics of the guy who was giving the demo.
This would be awesome if they could get it perfect, but it's impossible. There are too many variables that would change the pattern and it would just get annoying. Sure, you could eventually get it right, but users would just get fed up and would rather just use a longer more cryptic password than deal with starting over each time.
It's probably already patented.
"I find it highly unlikely that your "safe" is air-walled in a physically secure location."
Why would you find that unlikely? Lots of people keep theirs on a USB key.
"So... what if someone manages to obtain your safe's password?"
The point is that this is almost vanishingly unlikely, because that password never needs to be stored anywhere outside of your own system or transmitted over any kind of network connection; these are by far the most likely vectors by which someone could discover one of your passwords.
Already patents out for some years on this topic as well as commercial products. Nothing new, at least not as long as the document on what they did is not freely available. Hiding some information does not make it better.
In any case it will be better than "just a PW". All the attacks for which this new system is vulnerable also hold for the usual username/password systems. But as you say, it will protect against some attacks like shouldersurfing. But as long as we have no details, we cannot comment on it.
I am an IT guy and tested a similar product. They claimed we could "eliminate changing passwords" by using their "how it is typed" software. They set us up a test page, signed in many times a day until I had "trained" it to my way of typing my password (something like 100 times). I then sent my account information to my coworkers and invited them to attempt to login to my account. Within ten minutes of sending the challenge Email I had a screen shot of my compromised account. Needless to say the sales guy didn't make a sale.