Verifying Passwords By the Way They're Typed 140
Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.
Quit posting articles w/ paywalls (Score:5, Insightful)
Note that the actual paper appears to be behind some crappy paywall
Then don't post it until you find a reference w/o a paywall. Period.
Re:how will it know? (Score:2, Insightful)
Let's see....
This would add additional complexity for users who are *already* overwhelmed by what security experts tell them to memorize. A unique username and password for every site and each password needs to be a random jumble of upper, lower, and special characters. I've got nearly 30 passwords (I have no intention of memorizing them - I can't).
Now, you want to *also* introduce the time between keystrokes? Now I've got three attempts to remember my password, type it correctly, and at the same speed as when I registered? Good luck!
What benefit does this give us? Systems using this will need to *record* the timing to compare if your timing is correct. In a perfect world, it would be secure and encrypted - but in a perfect world the same is true of your password. But we have to use different passwords because companies can't be trusted to secure the passwords we provide them. So, now, when $company gets hacked, you'll have to change the password *and* timing of how you type. Because hackers will have both.
And what about malware? Key loggers already defeat secure passwords because they record them. And now they'll just be updated to also record the timing for your keystrokes.
I'm not seeing a lot of benefit here - but I am seeing a lot of complexity and hassle for the users.