Verifying Passwords By the Way They're Typed 140
Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.
Alcohol test for soviet pilots (Score:4, Interesting)
I remember hearing a story that this system was used to determine the state of mind for soviet military pilots.
You type a control paragraph of text, and then you have to type the same thing again before each flight. The computer just measures the pattern of how you type, and sinc ethere's substantial amount of text (not just shorter password) I guess it could work.
Of course this was easy to bypass if you just typed initial control text already drunk. :) Just make sure you are drunk for each flight afterwards.
BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.
Re:how will it know? (Score:5, Interesting)
It doesn't. My bank used such a service for a while before it stopped due to complaints. If you made a mistake, paused, etc you would need to start over. Backspace automatically did it for you. It was a major PITA when my wife would log in to our bank account, then I would try. It always seemed to remember her slow typing but not mine. Plus, it would reject me if I used the number pad to enter the account number because digits there were different keys apparently then the digits on the top row.
Not an entirely new idea... (Score:4, Interesting)
I reviewed a company's offering a few years ago that was recording the relative timing between keystrokes when you entered a password. Any subsequent attempts had to match that relative pattern in order to be verified.
It failed miserably.
I had a demo with the company. They showed me a nice fake online banking login screen. They then told me the name and password and said "Go ahead and try to login." I did so. And it let me right in. The woman giving the demo couldn't believe it. I took a screenshot and sent it to her as verification. Sure enough, their system did not stop me from logging in.
So she reset the password to something else, ran through a couple of calibration runs to make sure she could login, and then again gave me the password. I once again logged in immediately.
Once more she changed the password, and again asked me to try it. I couldn't login. So I tried a few more times, and on the third try I was once again staring at fake bank accounts.
I realized two things from this demo. First, its easily breakable by a human with comparable typing skills to the victim when the password is known. Second, the only thing this (particular product) could defeat was an automated system attempting to login. ...I don't think that review ever got published...