Forgot your password?
typodupeerror
Security IT

Verifying Passwords By the Way They're Typed 140

Posted by CmdrTaco
from the i-feel-safer-already dept.
Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.
This discussion has been archived. No new comments can be posted.

Verifying Passwords By the Way They're Typed

Comments Filter:
  • how will it know? (Score:5, Informative)

    by i.r.id10t (595143) on Thursday May 19, 2011 @10:28AM (#36178776)

    How would such a system know if I am typing on my normal keyboard vs. using an on-screen one on a tablet vs. using a coworkers "ergonomic" keyboard vs. being interrupted in the middle of typing my password by my kids?

    • It runs on intuition.

      • by Anonymous Coward

        doesn't matter if it actually works, can sales wanks can sell it to IT managerial and director dumb-asses, that's what matters.

    • by ncostigan (127923) *

      They profile the device too

    • by jo42 (227475)

      It's not just the keyboard that you are typing on, but the time of day, i.e. how tried or awake you are, etc.

      Bunch of highly educated idjits to say the least at them thar university.

      • Also what happens if you sorta remember the password and are tentatively trying to type it in?

        Wouldn't you be a little less confident while trying out the password? How would this "verify by the way you type" approach interpret this?

      • by Anonymous Coward

        It's not just the keyboard that you are typing on, but the time of day, i.e. how tried or awake you are, etc.

        Bunch of highly educated idjits to say the least at them thar university.

        Imagine when an admin has to change your password: Your new password is Y(eRx!! and you have to type it to the rhythm of "shave and a haircut".

      • by kamathln (1220102)

        It's not just the keyboard that you are typing on, but the time of day, i.e. how tried or awake you are, etc.

        Yeah. I remember not publicizing my very old VB Course project, which was "password typing pattern matcher" for exactly this reason.

        • by kamathln (1220102)

          And for all you know a keyboard snooper could easily track your pattern and play it back later.

    • Re:how will it know? (Score:5, Interesting)

      by cdrudge (68377) on Thursday May 19, 2011 @11:27AM (#36179642) Homepage

      It doesn't. My bank used such a service for a while before it stopped due to complaints. If you made a mistake, paused, etc you would need to start over. Backspace automatically did it for you. It was a major PITA when my wife would log in to our bank account, then I would try. It always seemed to remember her slow typing but not mine. Plus, it would reject me if I used the number pad to enter the account number because digits there were different keys apparently then the digits on the top row.

    • by AmiMoJo (196126)

      I suffer from arthritis so my typing speed varies. Similarly I find it hard to verify credit card transactions with a signature because mine varies quite a bit with how stiff my hands are feeling.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Let's see....

      This would add additional complexity for users who are *already* overwhelmed by what security experts tell them to memorize. A unique username and password for every site and each password needs to be a random jumble of upper, lower, and special characters. I've got nearly 30 passwords (I have no intention of memorizing them - I can't).

      Now, you want to *also* introduce the time between keystrokes? Now I've got three attempts to remember my password, type it correctly, and at the same speed a

      • Not to mention: I don't know about you, but for me, the more frequently I use a password (especially a new one), the faster and faster I type it. What may have taken me 10-15 seconds to type when I registered may take me 2-3 seconds now after using it twice a day for a month.
      • No, there will not be added complexity for the user. The system will record how you type and you can type in your normal manner. Actually reduced complexity as you can now use the same password everywhere because it is proven that your way of typing cannot be copied, so it does not matter if people know your password. This also means that the information actually does not need to be encrypted, as you need to have for a normal password. It is only adding extra security.
    • Also, the temperature of your hands affects both typing speed and number of typos... and how awake you are does too.

      And the worst thing is: if someone's keylogging your system, they'll have the pauses as well as the exact sequence you used, and can just replay it. So the system causes issues for legitimate users, while only stopping the most casual attempts at unauthorized access (for which a regular 12-16 character passphrase is usually enough in the first place).

    • by houghi (78078)

      I use different types of keyboard. Qwerty and Azerty are the most common ones. I also have a Happy Hacker keyboard without the nummeric keypad, while at work I do have it, so numbers are entered differently.

      Sometimes I sit at a table and other times I am lying on the couch, which will alter the way I type it is different again.

      The main problem I have with passwords and logins is that there are way to many of them. Many places (especially work related) will give me a login, instead of letting me select one.A

  • We tested this out a year or two ago, even after repeated 'learning' processes the software still required the user to answer security questions because they failed to match the last learned sequence. The only people that thought it worked well were the people that had done the learning procedure but the validation wasn't turned on for their account.
    • by MDMurphy (208495)

      Alternate keyboards can be an issue with passwords as they are used now. I have some longish ones that I never get wrong on the laptop, but fumble with on the phone. Some level of muscle memory kicks in on the full keyboard that's absent on the touch screen.

      The description in the article might be useful, but only if the entry device is static. A numeric keypad for a door entry might work, or the keyboard attached to a specific machine, like with a laptop. But a password used for access to a remote syste

    • I was forced into using this system while taking my drivers ed online, and I can testify to its crappy recognition. I think once, just once, did it recognize me, despite using the same pattern each time. I eventually gave up and just moved through the lessons without bothering with the verification, which thankfully was possible.
  • by Johnny5000 (451029) on Thursday May 19, 2011 @10:31AM (#36178822) Homepage Journal

    I had an account at a bank that did something like this.
    It sure was great fun having to type in my password 3 times because it didn't like the way I typed it.
    And forget about trying to log-in from a mobile device.

    (and before you tell me to switch banks, they do have other advantages that make it worth it. Just online-access is a pain-in-the-ass.)

    • There's no reason that a system using this type of authentication should also grant access via mobile device in the first place.
      • You claim that a system using this type of authentication should not grant access via mobile device. However, people using mobile devices still demand access to services that the system provides. Should one solve the problem by creating a separate system for mobile devices that provides the same functionality as the main system? If so, what kind of authentication should such a system use?
        • I imagine the type of system that needs to verify how a user enters the password contains enough sensitive information that mobile access would be restricted if not abolished completely. Any system where the users demand and have a valid need for mobile access (banking, email, etc) has no business implementing this type of authentication.
  • by Anonymous Coward
    If your wife tries to log in, or if you break your finger playing football, you're screwed. Why can't we just implement some real security without gimmicks.
  • by xxxJonBoyxxx (565205) on Thursday May 19, 2011 @10:35AM (#36178864)

    Note that the actual paper appears to be behind some crappy paywall

    Then don't post it until you find a reference w/o a paywall. Period.

  • I remember this topic coming up on /. about eight years ago or so... it's a nifty idea; but it'll go nowhere. Can't find the link right now as search seems busted, actually, /. seems off today.
  • "American University of Beirut, Lebanon"

    This is rather confusing to me.

    • by _0xd0ad (1974778)

      Here you go. [aub.edu.lb]

      Founded in 1866, the American University of Beirut bases its educational philosophy, standards, and practices on the American liberal arts model of higher education. ... [it] was granted institutional accreditation in June 2004 by the Commission on Higher Education of the Middle States Association of Colleges and Schools in the United States ... The language of instruction is English (except for courses in the Arabic Department and other language courses).

    • It is not uncommon--particularly in the developing world--to label universities with credibility building notions such as "American." They typically have a structure resembling an "American/Western" college and many have sought/received accreditation from an American/western accreditation board.
      • It is not uncommon--particularly in the developing world--to label universities with credibility building notions such as "American." They typically have a structure resembling an "American/Western" college

        Then "American Style University of Beirut" would be more honest. In fact, given what I've read about the rise of "protected designations of origin", this naming practice might even become illegal in some parts of the world, just as only one region's sparkling wine can be called CHAMPAGNE® in the EU.

  • IIRC the keyboards of the day did not have precise enough timing for it to be very workable, and there wasnt enough fancy pattern matching software to figure out how to make use of any 'persoanlized' quirks in typing patterns.

    plus, if you ever had a bad headache or were slightly intoxicated or tired, it could throw off the whole thing if you 'lock people out' based on weird criteria like that

    i think the main difference nowdays is some idiot will try to patent it and sue

    • I wrote a simple prototype for this back in the '90s, and submitted a marginally upgraded version as coursework circa 2002. On hindsight it's not a terribly useful system, it defends against shoulder surfing and not much else. My feeling back then was that a scheme such as this would be useful for ATMs, but given the sophisticated camera + card scanner attacks being employed today, I doubt it'd be much use.
    • Already patents out for some years on this topic as well as commercial products. Nothing new, at least not as long as the document on what they did is not freely available. Hiding some information does not make it better.
  • I don't even know what my passwords are, I copy and paste them out of keypass.
    So i guess it would work really well for me!

    • by cdrudge (68377)

      Ctrl-V is rendered useless when your bank uses flash for the login disabling Ctrl-V.

      • by tepples (727027)
        Adobe Flash is rendered useless when account holders who own an iPhone or iPad take their business to a competitor.
  • My password manager types my password the same way every time.
  • or that splinter in your finger, otherwise you could end up getting locked out of your accounts for a while. This dead-end idea sounds a little like voice recognition: fine 'til you catch a cold.
  • I can't type the sound of my voice.
  • Arthritis? Can't log in. Too much caffeine? Can't log in. Too little? Can't...

  • you have to type it to the rhythm of 'shave and a haircut...' :-P
  • by iamr00t (453048) on Thursday May 19, 2011 @10:49AM (#36179008) Journal

    I remember hearing a story that this system was used to determine the state of mind for soviet military pilots.
    You type a control paragraph of text, and then you have to type the same thing again before each flight. The computer just measures the pattern of how you type, and sinc ethere's substantial amount of text (not just shorter password) I guess it could work.

    Of course this was easy to bypass if you just typed initial control text already drunk. :) Just make sure you are drunk for each flight afterwards.

    BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.

  • Michael Crichton (yes, that Michael Crichton) actually wrote an article about this in Creative Computing magazine back in the early 80s. He even included a BASIC program to demonstrate the idea. I believe it was called MouseTrap.

    • by wandazulu (265281)

      Funny...I was just going to post this, but thanks for reminding me of the name. As I recall, it was a short story (I want to say I read it in Life, of all places), about a "hot shot" programmer who ignores another, older, programmer who wants to show him this cool new tech he's been working on. Suffice to say the hot-shot programmer gets seduced into selling the company secrets and, this is the part I remember most vividly, does it in a motel room, using a modem, and while he's waiting wanders down the hall

    • Michael Crichton (yes, that Michael Crichton) actually wrote an article about this in Creative Computing magazine back in the early 80s. He even included a BASIC program to demonstrate the idea. I believe it was called MouseTrap.

      Before that, morse code operators could identify each other by their "fist" - the unique way they types the code on the morse key.

    • by jnaujok (804613)
      Dang it, I was going to bring this up too. I remember that (might even still have the magazine deep in the basement box archives) and that I coded it on a IBM clone back in the mid eighties and it was reasonably effective. The program just timed the gaps between keypresses and looked for a match within a few percentage points. It was surprisingly effective at locking out different people, with only a few false negatives when I would type the correct version.

      The original story was printed in the July 1984
  • The paper dates back to 2009. I can't get it through my university library, so the journal is clearly very obscure. A key logger can log this information, and replay the recorded events to precisely mimic the rhythm of the original typing. It's hard to see how you get around this. It might be protective against shoulder-surfing, although I'd take some convincing that you can get the discrimination right without introducing a lot of false alarms, but it won't provide any protection at all against network
    • In any case it will be better than "just a PW". All the attacks for which this new system is vulnerable also hold for the usual username/password systems. But as you say, it will protect against some attacks like shouldersurfing. But as long as we have no details, we cannot comment on it.
  • My laptop has a fingerprint scanner. Works well enough that I usually try that first, but it fails enough that I still log in via password relatievely often.

    Being a laptop, and I being a total freak, I often use my laptop in... unusual positions. Seriously, I once used it, standing on my head (leaning against a wall), holding it with one hand and typing with another. Good way to stretch without having to take a break from the Internet.

    Anyways, part of that involves logging in, say, one-handed. Or with t
  • This is old research. I haven't read the article so they might be using a new technique, but computer scientists have been looking at this for years. the success rate is reasonably good if i remember correctly too. I think it its mostly based on time between specific key presses. I would also think this would work better when someone is 'out-of-it' as a result just waking up, or being drunk and your typing is more muscle memory than thinking.
  • Oh wow so when the weather is cold I won't be able to log in because of my cold stiff fingers that type at a fraction of the speed, possibly with increased mistakes because the up-down movement comes quicker than the left-right movement? What if I come home drunk and feel the need to post a social networking message that I'll read the next morning in horror? Wait, I guess that won't be a bad thing, increased mistake level will block me out. Winner!
  • measure how you play a game... if you make smart choices in the game, you are probably to smart to give your credit card to Sony, and therefore are not the actual account holder..
  • I remember back in those old BBS days where they had DOS Based BBS Software where when somone logged into your BBS You had a near mirror image on what the user was doing. So while they typed their password you saw their password echoed to the Sysop screen at real time. For small BBS's a SysOp knew if the user was just by watching them login. You knew by they way they typed if it was them or not.

  • Does anyone else make up passwords based on a shape or pattern on a keyboard? I got in that habit years ago, remembering them is more "muscle memory" than anything. Half of the time I couldn't even tell you what the actual letters are but can remember that its a Tree shape or fish shape, etc.

  • Here's a paper on the same subject from 18 years ago, and that was just the first result I found on google scholar!

    http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=256563 [ieee.org]

    Obviously, there have been advances since then but this certainly isn't a new idea by any stretch of the imagination.

  • So what happens when I injure a hand working on the car or something and have to do my keyboarding with only my right or only my left? I can't login?

    • by tepples (727027)

      So what happens when I injure a hand working on the car

      Have your doctor notify the service provider of this.

  • ...my password manager should fill the buffer at the same rate every time.

  • This is old news: It's already been monetized by Gordon Ross's company: http://www.biopassword.com/keystroke_dynamics_advantages.asp [biopassword.com] - I had a chance to use this system back in 2004 and it was pretty cool. When the system is learning your password initially, you type it a handful of times so that it can average times between keystrokes. You can type "normal" or you can type at an abnormal rhythm. Your choice. Here are some other papers published a long time ago... http://portal.acm.org/citation.cfm?i [acm.org]
  • I keep wanting a password input that works off a keycode stream, not a string.

    That way your password could include deletions, modifier keys, and other unusual combinations. It sounds less fragile than this approach, although it might be interesting on devices with different keyboard layouts.

  • I read about this over 10 years ago. It was the same time hand writing recognition was supposed to turn Palms into ultra-secure password verifiers, and someone said "Hey, we can do that with typing too!". It went nowhere. Anyone got a link to the old research?

    This also sounds like the old program to allow the NSA to identify anonymous blog writers. But instead of typing patterns, it used words already typed patterns.

    But still, this is OLD tech. Nothing new to see, move along.

  • by SirNAOF (142265) on Thursday May 19, 2011 @11:49AM (#36180006)

    I reviewed a company's offering a few years ago that was recording the relative timing between keystrokes when you entered a password. Any subsequent attempts had to match that relative pattern in order to be verified.

    It failed miserably.

    I had a demo with the company. They showed me a nice fake online banking login screen. They then told me the name and password and said "Go ahead and try to login." I did so. And it let me right in. The woman giving the demo couldn't believe it. I took a screenshot and sent it to her as verification. Sure enough, their system did not stop me from logging in.

    So she reset the password to something else, ran through a couple of calibration runs to make sure she could login, and then again gave me the password. I once again logged in immediately.

    Once more she changed the password, and again asked me to try it. I couldn't login. So I tried a few more times, and on the third try I was once again staring at fake bank accounts.

    I realized two things from this demo. First, its easily breakable by a human with comparable typing skills to the victim when the password is known. Second, the only thing this (particular product) could defeat was an automated system attempting to login. ...I don't think that review ever got published...

  • I was just thinking about this the other day when I needed to log into a computer at work while I was holding a part I wanted to look up in our system. I heard about password systems using pattern logging a while ago and thought it would be ridiculous in the real world. On a similar note, I had an uncle that retired from a workplace that had fingerprint, voiceprint, and a weight scanner to get into work. He said if you had a cold or gained or lost more than 5 pounds you had to be escorted to the security
  • Seriously? ... Let me be the first to welcome you to the world of academic journals.

  • I remember reading a story about this back around the time I first created my slashdot account some 13+ years ago. I remember people saying it was a nice idea but in practice it was unworkable for various obvious reasons including hand injuries, differing keyboards, and environmental distractions.
  • ... as most of them are made when I'm drunk...

  • by AJH16 (940784)

    I read about this years ago. How is this news? It's a cool idea that I find works well in some situations, but you wouldn't want to use it everywhere. I do think it is a cool technology though.

  • This gives "forgot password" a whole new meaning. "Oops, now which password did I use for this site again? And with what rhythm did I type it?"
  • 18 years ago, I wrote a DOS-based keyboard lock intercept that used keydown/keyup in addition to keypress. Current password schemes use the sequence of keypresses only. Mine captured when a key was depressed and when it was released, such that you could have a passcode consisting of:
    Depress H
    Depress E
    Release E
    Depress L
    Release H
    Release L
    Depress L
    Depress O
    Release L
    Release O

    This sequence spells out the word HELLO, but is somewhat more secure than HELLO at the console as it also requires the press/release to

  • Guys, this as others have already asserted, is very old tech. It goes back to days of Morse code use in the military. Morse operators could authenticate another sender's identitiy (or whether he was sending his message under duress and potentially compromised) by what was called his "fist", or the rhythm of the transmission. Notably, Imprivata made an effort a couple of years ago to monetize this approach, but it is as many have pointed out fraught with multiple issues depending on how you enter and/or mana
  • This specific idea was written up in an academic paper more than a decade ago http://www.veniceconsulting.com/docs/ryan.intrusion.pdf [veniceconsulting.com].
  • I remember seeing a demo of such a system in a trade show back the 1980s. The password was written on a piece of cardboard and placed prominently by the PC, and visitors were encouraged to try to enter it successfully. None could, even when we mimicked the typing speed and characteristics of the guy who was giving the demo.
  • This would be awesome if they could get it perfect, but it's impossible. There are too many variables that would change the pattern and it would just get annoying. Sure, you could eventually get it right, but users would just get fed up and would rather just use a longer more cryptic password than deal with starting over each time.
  • There has been commercial software for this for quite some time, for example see Authenware [authenware.com].

    It's probably already patented.

Natural laws have no pity.

Working...