Verifying Passwords By the Way They're Typed

Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.

how will it know?

[i.r.id10t]

How would such a system know if I am typing on my normal keyboard vs. using an on-screen one on a tablet vs. using a coworkers "ergonomic" keyboard vs. being interrupted in the middle of typing my password by my kids?

Re:how will it know?

[cdrudge]

It doesn't. My bank used such a service for a while before it stopped due to complaints. If you made a mistake, paused, etc you would need to start over. Backspace automatically did it for you. It was a major PITA when my wife would log in to our bank account, then I would try. It always seemed to remember her slow typing but not mine. Plus, it would reject me if I used the number pad to enter the account number because digits there were different keys apparently then the digits on the top row.

Re:how will it know?

Let's see....

This would add additional complexity for users who are *already* overwhelmed by what security experts tell them to memorize. A unique username and password for every site and each password needs to be a random jumble of upper, lower, and special characters. I've got nearly 30 passwords (I have no intention of memorizing them - I can't).

Now, you want to *also* introduce the time between keystrokes? Now I've got three attempts to remember my password, type it correctly, and at the same speed as when I registered? Good luck!

What benefit does this give us? Systems using this will need to *record* the timing to compare if your timing is correct. In a perfect world, it would be secure and encrypted - but in a perfect world the same is true of your password. But we have to use different passwords because companies can't be trusted to secure the passwords we provide them. So, now, when $company gets hacked, you'll have to change the password *and* timing of how you type. Because hackers will have both.

And what about malware? Key loggers already defeat secure passwords because they record them. And now they'll just be updated to also record the timing for your keystrokes.

I'm not seeing a lot of benefit here - but I am seeing a lot of complexity and hassle for the users.

Re:how will it know?

[laurelraven]

Not to mention: I don't know about you, but for me, the more frequently I use a password (especially a new one), the faster and faster I type it. What may have taken me 10-15 seconds to type when I registered may take me 2-3 seconds now after using it twice a day for a month.

No, it sucks.

[Johnny5000]

I had an account at a bank that did something like this.
It sure was great fun having to type in my password 3 times because it didn't like the way I typed it.
And forget about trying to log-in from a mobile device.

(and before you tell me to switch banks, they do have other advantages that make it worth it. Just online-access is a pain-in-the-ass.)

Quit posting articles w/ paywalls

[xxxJonBoyxxx]

Note that the actual paper appears to be behind some crappy paywall

Then don't post it until you find a reference w/o a paywall. Period.

Alcohol test for soviet pilots

[iamr00t]

I remember hearing a story that this system was used to determine the state of mind for soviet military pilots.
You type a control paragraph of text, and then you have to type the same thing again before each flight. The computer just measures the pattern of how you type, and sinc ethere's substantial amount of text (not just shorter password) I guess it could work.

Of course this was easy to bypass if you just typed initial control text already drunk. :) Just make sure you are drunk for each flight afterwards.

BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.

Re:all it would see is crtl+v

[cdrudge]

Ctrl-V is rendered useless when your bank uses flash for the login disabling Ctrl-V.

Not an entirely new idea...

[SirNAOF]

I reviewed a company's offering a few years ago that was recording the relative timing between keystrokes when you entered a password. Any subsequent attempts had to match that relative pattern in order to be verified.

It failed miserably.

I had a demo with the company. They showed me a nice fake online banking login screen. They then told me the name and password and said "Go ahead and try to login." I did so. And it let me right in. The woman giving the demo couldn't believe it. I took a screenshot and sent it to her as verification. Sure enough, their system did not stop me from logging in.

So she reset the password to something else, ran through a couple of calibration runs to make sure she could login, and then again gave me the password. I once again logged in immediately.

Once more she changed the password, and again asked me to try it. I couldn't login. So I tried a few more times, and on the third try I was once again staring at fake bank accounts.

I realized two things from this demo. First, its easily breakable by a human with comparable typing skills to the victim when the password is known. Second, the only thing this (particular product) could defeat was an automated system attempting to login. ...I don't think that review ever got published...

One handed

[WDancer]

I was just thinking about this the other day when I needed to log into a computer at work while I was holding a part I wanted to look up in our system. I heard about password systems using pattern logging a while ago and thought it would be ridiculous in the real world. On a similar note, I had an uncle that retired from a workplace that had fingerprint, voiceprint, and a weight scanner to get into work. He said if you had a cold or gained or lost more than 5 pounds you had to be escorted to the security office and have your identity verified before they would let you in. Some security measures are just too odd. (A scale? WTF?)

Re:Keystroke Dynamics

[jc42]

I have heard it called keystroke dynamics, and as others have said it isn't too feasible for just straight-up identify verification. However, you can do a lot of cool things with KD software. Hasn't this concept been around for quite awhile?

Yup, it has. I worked on a mainframe system back in the early 1970s whose OS provided keystroke timings to apps that wanted the info. The first use was in the login code, which used the character-pair timings to verify the user. It was actually fairly successful, and didn't have the rampant failures that many people here describe. In fact, it pretty quickly made login ids unnecessary, since the "system" could identify each user fairly quickly when they typed anything at all.

There was a funny follow-on gimmick implemented by some guys in the organization (a university computer center): They got access to the schedule of the operators and others who worked there, and wrote a routine that compared the people typing with the schedule. One day, a fellow (call him Joe) called in sick, and another (Bill) took his slot. Soon after Bill started typing (without identifying himself), the computer came back with a comment like "Hey, Bill, you're not Joe. Joe was scheduled now, not you. What happened? Is Joe sick or something?" The staff freaked out, and some of them were afraid to type to the computer until the programmers came in and explained what they'd done.

But most current OS's hide the timing info from user-level software, so it's not surprising that people nowadays would find that the idea doesn't work very well. To work, the code has to have access to fairly precise timing of keyboard events, and that just isn't possible with most current (commercial) computer systems. You'd have to have a Real-Time kernel for it to work at all, and any software layer that munges with the timings would kill the idea entirely.