Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Verifying Passwords By the Way They're Typed

CmdrTaco posted more than 3 years ago | from the i-feel-safer-already dept.

Security 140

Zothecula writes "There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it (abstract)." Note that the actual paper appears to be behind some crappy paywall: hopefully the research exists elsewhere on-line.

cancel ×

140 comments

Passwords (0)

Anonymous Coward | more than 3 years ago | (#36178752)

Yeah, this will work when you're drunk. Or just woken up. Or when your hands just feel different.

Re:Passwords (0)

Anonymous Coward | more than 3 years ago | (#36180312)

or when you're at the phone and type with one hand only. or when you're on a mini laptop if you use a desktop and vice versa. or when you type in bad light (both dark and over lit). or when you sneeze.

Is this a new slashdot business model (1)

CPTreese (2114124) | more than 3 years ago | (#36178760)

put an interesting article behind a paywall, collect the kickbacks

Re:Is this a new slashdot business model - 30 Eu! (1)

rjune (123157) | more than 3 years ago | (#36179338)

Crappy does not describe this. The price of the paper is 30 Euros! (I didn't buy it, if I had I would be posting as AC) Who is going to pay that kind of money based on the posted abstract?

Re:Is this a new slashdot business model - 30 Eu! (1)

somersault (912633) | more than 3 years ago | (#36179624)

Who is going to pay that kind of money based on the posted abstract?

Malware authors working for organised crime? :)

Re:Is this a new slashdot business model (1)

clang_jangle (975789) | more than 3 years ago | (#36179832)

So we've gone from slashvertisements to just outright assisting scammers, Taco? Wonder what took you so long...

Re:Is this a new slashdot business model (1)

laurelraven (1539557) | more than 3 years ago | (#36181470)

Look at it this way: we now all have a really good excuse why we didn't RTFA.

how will it know? (5, Informative)

i.r.id10t (595143) | more than 3 years ago | (#36178776)

How would such a system know if I am typing on my normal keyboard vs. using an on-screen one on a tablet vs. using a coworkers "ergonomic" keyboard vs. being interrupted in the middle of typing my password by my kids?

Re:how will it know? (1)

DamageLabs (980310) | more than 3 years ago | (#36178852)

It runs on intuition.

Re:how will it know? (1)

Anonymous Coward | more than 3 years ago | (#36179382)

doesn't matter if it actually works, can sales wanks can sell it to IT managerial and director dumb-asses, that's what matters.

Re:how will it know? (1)

ncostigan (127923) | more than 3 years ago | (#36179196)

They profile the device too

Re:how will it know? (1)

jo42 (227475) | more than 3 years ago | (#36179626)

It's not just the keyboard that you are typing on, but the time of day, i.e. how tried or awake you are, etc.

Bunch of highly educated idjits to say the least at them thar university.

Re:how will it know? (1)

man_the_king (1139561) | more than 3 years ago | (#36180296)

Also what happens if you sorta remember the password and are tentatively trying to type it in?

Wouldn't you be a little less confident while trying out the password? How would this "verify by the way you type" approach interpret this?

Re:how will it know? (1)

Anonymous Coward | more than 3 years ago | (#36181220)

It's not just the keyboard that you are typing on, but the time of day, i.e. how tried or awake you are, etc.

Bunch of highly educated idjits to say the least at them thar university.

Imagine when an admin has to change your password: Your new password is Y(eRx!! and you have to type it to the rhythm of "shave and a haircut".

Re:how will it know? (5, Interesting)

cdrudge (68377) | more than 3 years ago | (#36179642)

It doesn't. My bank used such a service for a while before it stopped due to complaints. If you made a mistake, paused, etc you would need to start over. Backspace automatically did it for you. It was a major PITA when my wife would log in to our bank account, then I would try. It always seemed to remember her slow typing but not mine. Plus, it would reject me if I used the number pad to enter the account number because digits there were different keys apparently then the digits on the top row.

Re:how will it know? (1)

AmiMoJo (196126) | more than 3 years ago | (#36179690)

I suffer from arthritis so my typing speed varies. Similarly I find it hard to verify credit card transactions with a signature because mine varies quite a bit with how stiff my hands are feeling.

Re:how will it know? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#36179978)

Let's see....

This would add additional complexity for users who are *already* overwhelmed by what security experts tell them to memorize. A unique username and password for every site and each password needs to be a random jumble of upper, lower, and special characters. I've got nearly 30 passwords (I have no intention of memorizing them - I can't).

Now, you want to *also* introduce the time between keystrokes? Now I've got three attempts to remember my password, type it correctly, and at the same speed as when I registered? Good luck!

What benefit does this give us? Systems using this will need to *record* the timing to compare if your timing is correct. In a perfect world, it would be secure and encrypted - but in a perfect world the same is true of your password. But we have to use different passwords because companies can't be trusted to secure the passwords we provide them. So, now, when $company gets hacked, you'll have to change the password *and* timing of how you type. Because hackers will have both.

And what about malware? Key loggers already defeat secure passwords because they record them. And now they'll just be updated to also record the timing for your keystrokes.

I'm not seeing a lot of benefit here - but I am seeing a lot of complexity and hassle for the users.

Re:how will it know? (1)

Em Adespoton (792954) | more than 3 years ago | (#36181272)

Also, the temperature of your hands affects both typing speed and number of typos... and how awake you are does too.

And the worst thing is: if someone's keylogging your system, they'll have the pauses as well as the exact sequence you used, and can just replay it. So the system causes issues for legitimate users, while only stopping the most casual attempts at unauthorized access (for which a regular 12-16 character passphrase is usually enough in the first place).

Tried this already (1)

InsanePacoTaco (1293252) | more than 3 years ago | (#36178808)

We tested this out a year or two ago, even after repeated 'learning' processes the software still required the user to answer security questions because they failed to match the last learned sequence. The only people that thought it worked well were the people that had done the learning procedure but the validation wasn't turned on for their account.

Re:Tried this already (1)

MDMurphy (208495) | more than 3 years ago | (#36178942)

Alternate keyboards can be an issue with passwords as they are used now. I have some longish ones that I never get wrong on the laptop, but fumble with on the phone. Some level of muscle memory kicks in on the full keyboard that's absent on the touch screen.

The description in the article might be useful, but only if the entry device is static. A numeric keypad for a door entry might work, or the keyboard attached to a specific machine, like with a laptop. But a password used for access to a remote system will be entered differently depending on the access method.

Perhaps there could be a method for linking the "how they are typed" to a particular access devices. Attempting to enter a password from an unrecognized device might necessitate additional screening, similar to what my bank does if I access my account from a computer I haven't previously used.

Of course there's still the whole "save passwords" or cut and pasting of a lengthy passwords to deal with.

Re:Tried this already (-1)

Anonymous Coward | more than 3 years ago | (#36179872)

> Alternate keyboards can be an issue with passwords as they are used now. I

Alternating keyboards seems like an unusual thing to do. Do you keep a log of which one you last used?

Oh, you meant alternative keyboards.

Re:Tried this already (1)

MokuMokuRyoushi (1701196) | more than 3 years ago | (#36178970)

I was forced into using this system while taking my drivers ed online, and I can testify to its crappy recognition. I think once, just once, did it recognize me, despite using the same pattern each time. I eventually gave up and just moved through the lessons without bothering with the verification, which thankfully was possible.

No, it sucks. (2)

Johnny5000 (451029) | more than 3 years ago | (#36178822)

I had an account at a bank that did something like this.
It sure was great fun having to type in my password 3 times because it didn't like the way I typed it.
And forget about trying to log-in from a mobile device.

(and before you tell me to switch banks, they do have other advantages that make it worth it. Just online-access is a pain-in-the-ass.)

Re:No, it sucks. (1)

chemicaldave (1776600) | more than 3 years ago | (#36178948)

There's no reason that a system using this type of authentication should also grant access via mobile device in the first place.

A parallel system for mobile devices (1)

tepples (727027) | more than 3 years ago | (#36181402)

You claim that a system using this type of authentication should not grant access via mobile device. However, people using mobile devices still demand access to services that the system provides. Should one solve the problem by creating a separate system for mobile devices that provides the same functionality as the main system? If so, what kind of authentication should such a system use?

already out there (0)

Anonymous Coward | more than 3 years ago | (#36178828)

My credit union already does this. Keeps me from copy-n-paste my password. I actually have to type it.

From the credit union:
"The safety and security of your private information is our highest priority. That's why we're always looking for innovative ways to strengthen the security of your Online Banking experience. Recently, we’ve added a new layer of Online Banking security. This new feature uses a combination of your username, password and biometrics to verify your identity.

By definition, biometrics is the measurement of physical characteristics to verify your identity. Essentially, this new feature measures the rhythm at which you type your password to verify your identity. It does not keep track of your actual password, it simply recognizes the rhythm in which you type it. Since each person has a unique typing rhythm, this feature provides you an additional layer of security. "

"It does not keep track of your actual password" (1)

decora (1710862) | more than 3 years ago | (#36178906)

neither does any other system created since the 1970s. they all store the passwords as hashes

Re:"It does not keep track of your actual password (-1)

Anonymous Coward | more than 3 years ago | (#36179184)

Except Sony!

Re:"It does not keep track of your actual password (1)

man_the_king (1139561) | more than 3 years ago | (#36180452)

Not true - Sony hashed the passwords; but never let facts get in the way of an anti-Sony zealot, right?

Great. (1)

Anonymous Coward | more than 3 years ago | (#36178832)

If your wife tries to log in, or if you break your finger playing football, you're screwed. Why can't we just implement some real security without gimmicks.

Re:Great. (0)

Anonymous Coward | more than 3 years ago | (#36180520)

Why? Because you can't fix stupid.

It better detect CTRL-V (0)

Anonymous Coward | more than 3 years ago | (#36178846)

Because that's how i enter mine most of the time.

Re:It better detect CTRL-V (1)

linuxgeek64 (1246964) | more than 3 years ago | (#36179032)

Why would anyone enter a password with copy and paste?

1) Just typing the password is far easier
2) If you'd have to copy and paste it, you'd have to have it in a text file
3) Storing that text file unencrypted would be incredibly stupid
4) What's the point of encrypting it when you'd have to enter a password to get to it?

o______o

Re:It better detect CTRL-V (1)

Anonymous Coward | more than 3 years ago | (#36179432)

1) Just typing the password is far easier

Not if it's a good strong password and you only use it in one place, which means you have a lot of passwords.

2) If you'd have to copy and paste it, you'd have to have it in a text file

Not necessarily. It could be a salted hash that's regenerated when it's needed.

3) Storing that text file unencrypted would be incredibly stupid

That depends on who has physical access to the text file. Contrary to popular belief, a sticky note pasted to the monitor is actually quite secure against Chinese hackers, though you still have to worry about the cleaning staff because they have physical access.

4) What's the point of encrypting it when you'd have to enter a password to get to it?

At least then your master password still requires physical access to the encrypted file to be useful. Whereas if you use the same password on a bunch of different sites, any one being compromised basically compromises all of them. Is it more likely that your account on a single site be compromised than it is for someone to gain access to the master password file and break the master password on it? I'd say it is.

Re:It better detect CTRL-V (1)

thomasdz (178114) | more than 3 years ago | (#36179622)

linuxgeek64 asks:

Why would anyone enter a password with copy and paste?
1) Just typing the password is far easier
2) If you'd have to copy and paste it, you'd have to have it in a text file
3) Storing that text file unencrypted would be incredibly stupid
4) What's the point of encrypting it when you'd have to enter a password to get to it?

There are these things called "Password Safes" which can hold many many MANY passwords... long passwords... secure passwords... passwords to servers or routers that I log into once a year... Password safes keeps the contents encrypted and many work via copy-and-paste... you double-click on the server name, the password safe puts the password in your clipboard and then you move focus to your SSH session to your router...hit control-V and log in

Re:It better detect CTRL-V (1)

Nethemas the Great (909900) | more than 3 years ago | (#36180774)

I find it highly unlikely that your "safe" is air-walled in a physically secure location. So... what if someone manages to obtain your safe's password? Your plethora of uber strong passwords is effectively just one password.

These password vaults/safes are nothing but another convenience tool sold to people with poor judgement that are continually finding ways to skirt the protection measures put in place to protect their's and their company's butt from malware and various other forms of security breaches.

Re:It better detect CTRL-V (1)

thomasdz (178114) | more than 3 years ago | (#36181244)

yeah, you're right... better go back to a text file with all passwords in it. because security is binary...all in or all out
you have a lot to learn, bub

language (-1)

Anonymous Coward | more than 3 years ago | (#36178850)

Using the adjective "crappy" to describe an undesirable object is not the habit of the professional writer.

Already existed during the DOS period... (0)

Anonymous Coward | more than 3 years ago | (#36178858)

Whats with all the re-inventions as of late?

These kinds of programs already existing back in the DOS days. They not only picked up the password itself but also the timing which it took to type it in, thus making it somewhat 'personalized'.

Slow typists couldn't match the password of the faster ones and so on.

Quit posting articles w/ paywalls (4, Insightful)

xxxJonBoyxxx (565205) | more than 3 years ago | (#36178864)

Note that the actual paper appears to be behind some crappy paywall

Then don't post it until you find a reference w/o a paywall. Period.

Re:Quit posting articles w/ paywalls (0)

Anonymous Coward | more than 3 years ago | (#36180900)

maybe some people already pay for the paywall, or do not mind doing so.
only the vocal freetard linux kiddies think that all content should be free.

Well duh (0)

Anonymous Coward | more than 3 years ago | (#36178868)

Of course there aren't any passwords are totally secure, if you want totally secure passwords you have to take out the human element all together.

Re:Well duh (1)

Tobenisstinky (853306) | more than 3 years ago | (#36178904)

Are you saying I need to teach my dog to type my password then?

Re:Well duh (0)

Anonymous Coward | more than 3 years ago | (#36179448)

Are you saying I need to teach my dog to type my password then?

Sure why not? Newspaper, slippers, password easy enough.

This was tried years ago... (1)

bhsx (458600) | more than 3 years ago | (#36178870)

I remember this topic coming up on /. about eight years ago or so... it's a nifty idea; but it'll go nowhere. Can't find the link right now as search seems busted, actually, /. seems off today.

Re:This was tried years ago... (0)

Anonymous Coward | more than 3 years ago | (#36179516)

I know the one you're on about: http://portal.acm.org/citation.cfm?id=266434

Hmmm (1)

Haedrian (1676506) | more than 3 years ago | (#36178876)

"American University of Beirut, Lebanon"

This is rather confusing to me.

Re:Hmmm (1)

_0xd0ad (1974778) | more than 3 years ago | (#36178914)

Here you go. [aub.edu.lb]

Founded in 1866, the American University of Beirut bases its educational philosophy, standards, and practices on the American liberal arts model of higher education. ... [it] was granted institutional accreditation in June 2004 by the Commission on Higher Education of the Middle States Association of Colleges and Schools in the United States ... The language of instruction is English (except for courses in the Arabic Department and other language courses).

Re:Hmmm (1)

Nethemas the Great (909900) | more than 3 years ago | (#36180912)

It is not uncommon--particularly in the developing world--to label universities with credibility building notions such as "American." They typically have a structure resembling an "American/Western" college and many have sought/received accreditation from an American/western accreditation board.

Just as Korbel wine is not Champagne (1)

tepples (727027) | more than 3 years ago | (#36181512)

It is not uncommon--particularly in the developing world--to label universities with credibility building notions such as "American." They typically have a structure resembling an "American/Western" college

Then "American Style University of Beirut" would be more honest. In fact, given what I've read about the rise of "protected designations of origin", this naming practice might even become illegal in some parts of the world, just as only one region's sparkling wine can be called CHAMPAGNE® in the EU.

Keystroke Dynamics (0)

Anonymous Coward | more than 3 years ago | (#36178878)

I have heard it called keystroke dynamics, and as others have said it isn't too feasible for just straight-up identify verification. However, you can do a lot of cool things with KD software. Hasn't this concept been around for quite awhile?

yes. it exists online in the 'ashbin of the 90s' (1)

decora (1710862) | more than 3 years ago | (#36178888)

IIRC the keyboards of the day did not have precise enough timing for it to be very workable, and there wasnt enough fancy pattern matching software to figure out how to make use of any 'persoanlized' quirks in typing patterns.

plus, if you ever had a bad headache or were slightly intoxicated or tired, it could throw off the whole thing if you 'lock people out' based on weird criteria like that

i think the main difference nowdays is some idiot will try to patent it and sue

Re:yes. it exists online in the 'ashbin of the 90s (0)

Anonymous Coward | more than 3 years ago | (#36179710)

plus, if you ever had a bad headache or were slightly intoxicated or tired, it could throw off the whole thing if you 'lock people out' based on weird criteria like that

The trick is to have a headache, be intoxicated AND tired when the system learns your typing pattern.

More prior art (1)

Soulshift (1044432) | more than 3 years ago | (#36179952)

I wrote a simple prototype for this back in the '90s, and submitted a marginally upgraded version as coursework circa 2002. On hindsight it's not a terribly useful system, it defends against shoulder surfing and not much else. My feeling back then was that a scheme such as this would be useful for ATMs, but given the sophisticated camera + card scanner attacks being employed today, I doubt it'd be much use.

all it would see is crtl+v (1)

agent_blue (413772) | more than 3 years ago | (#36178916)

I don't even know what my passwords are, I copy and paste them out of keypass.
So i guess it would work really well for me!

Re:all it would see is crtl+v (2)

cdrudge (68377) | more than 3 years ago | (#36179584)

Ctrl-V is rendered useless when your bank uses flash for the login disabling Ctrl-V.

Re:all it would see is crtl+v (1)

tepples (727027) | more than 3 years ago | (#36181528)

Adobe Flash is rendered useless when account holders who own an iPhone or iPad take their business to a competitor.

Useless. (1)

VortexCortex (1117377) | more than 3 years ago | (#36178922)

My password manager types my password the same way every time.

Hope that paper-cut heals quickly (1)

petes_PoV (912422) | more than 3 years ago | (#36178940)

or that splinter in your finger, otherwise you could end up getting locked out of your accounts for a while. This dead-end idea sounds a little like voice recognition: fine 'til you catch a cold.

Re:Hope that paper-cut heals quickly (0)

Anonymous Coward | more than 3 years ago | (#36180374)

This dead-end idea sounds a little like voice recognition: fine 'til you catch a cold.

Or until you have an office full of people, all yelling at their computers...

My voice is my password (1)

killmenow (184444) | more than 3 years ago | (#36178946)

I can't type the sound of my voice.

Re:My voice is my password (1)

ppz003 (797487) | more than 3 years ago | (#36180352)

My name is Werner Brandis. $SUBJECT Verify me.

My voice is my passport. Verify Me (0)

Anonymous Coward | more than 3 years ago | (#36180778)

My voice is my passport. Verify Me

Injure your hand? Can't log in. (1)

QilessQi (2044624) | more than 3 years ago | (#36178952)

Arthritis? Can't log in. Too much caffeine? Can't log in. Too little? Can't...

No, No... (1)

KerPow (667116) | more than 3 years ago | (#36178988)

you have to type it to the rhythm of 'shave and a haircut...' :-P

Alcohol test for soviet pilots (3, Interesting)

iamr00t (453048) | more than 3 years ago | (#36179008)

I remember hearing a story that this system was used to determine the state of mind for soviet military pilots.
You type a control paragraph of text, and then you have to type the same thing again before each flight. The computer just measures the pattern of how you type, and sinc ethere's substantial amount of text (not just shorter password) I guess it could work.

Of course this was easy to bypass if you just typed initial control text already drunk. :) Just make sure you are drunk for each flight afterwards.

BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.

Re:Alcohol test for soviet pilots (1)

mewsenews (251487) | more than 3 years ago | (#36181446)

BTW, I have also heard a lecture in my uni 15 years ago from a guy that was trying to develop the system to also determine general mood of the person by the way they typed. Not sure how far that went.

Watson's success in Jeopardy has me wondering if we ever see a limit to machine learning. Cell phones have so many sensors on board - camera, location, microphone. I know the last Batman film touched on this but if those sensors were all switched on and listening, a data centre would know when we were relaxing, when we were at work, when we were at the club, when we were making love, when we were screaming at someone. Feed the computer a pattern of sensor data from murders and manslaughters, and the machines would be able to warn the police as the confrontation was happening.

Michael Crichton had this idea in the 80s (1)

slapout (93640) | more than 3 years ago | (#36179056)

Michael Crichton (yes, that Michael Crichton) actually wrote an article about this in Creative Computing magazine back in the early 80s. He even included a BASIC program to demonstrate the idea. I believe it was called MouseTrap.

Re:Michael Crichton had this idea in the 80s (1)

wandazulu (265281) | more than 3 years ago | (#36179560)

Funny...I was just going to post this, but thanks for reminding me of the name. As I recall, it was a short story (I want to say I read it in Life, of all places), about a "hot shot" programmer who ignores another, older, programmer who wants to show him this cool new tech he's been working on. Suffice to say the hot-shot programmer gets seduced into selling the company secrets and, this is the part I remember most vividly, does it in a motel room, using a modem, and while he's waiting wanders down the hall to the coke machine.

He gets into hot water when the "secrets" turns out to be pictures of kids or something, and the older guy and the boss tell him that he's not only fired, but probably will have to sell the fancy car he bought to pay back the guys he was trying to sell the secrets to. Suffice to say, the way he's caught is that he didn't type the password in the "right" way, just like TFA (presumably...didn't pay to read it) mentions, and gets caught in a honey pot.

The weird thing is that I have never forgotten the idea of being identified by how you type, and every time I use the keyboard that story just flashes in and out, after all this time.

Re:Michael Crichton had this idea in the 80s (1)

Registered Coward v2 (447531) | more than 3 years ago | (#36180588)

Michael Crichton (yes, that Michael Crichton) actually wrote an article about this in Creative Computing magazine back in the early 80s. He even included a BASIC program to demonstrate the idea. I believe it was called MouseTrap.

Before that, morse code operators could identify each other by their "fist" - the unique way they types the code on the morse key.

Re:Michael Crichton had this idea in the 80s (1)

jnaujok (804613) | more than 3 years ago | (#36181496)

Dang it, I was going to bring this up too. I remember that (might even still have the magazine deep in the basement box archives) and that I coded it on a IBM clone back in the mid eighties and it was reasonably effective. The program just timed the gaps between keypresses and looked for a match within a few percentage points. It was surprisingly effective at locking out different people, with only a few false negatives when I would type the correct version.

The original story was printed in the July 1984 issue of LIFE magazine.

This post needs audio accompaniment (0)

Anonymous Coward | more than 3 years ago | (#36179094)

This post should really be read while "It ain't what you do, but the way that you do it" plays in the background. A tune from Bananarama in the 1980s.

The original tune is about, er, something else :-) (insert optional smirk).

Usability (0)

Anonymous Coward | more than 3 years ago | (#36179108)

Simple way of creating a usable and secure password is by typing short sentences: http://www.baekdal.com/tips/password-security-usability

Old paper in obscure journal; trivially defeatable (1)

igb (28052) | more than 3 years ago | (#36179128)

The paper dates back to 2009. I can't get it through my university library, so the journal is clearly very obscure. A key logger can log this information, and replay the recorded events to precisely mimic the rhythm of the original typing. It's hard to see how you get around this. It might be protective against shoulder-surfing, although I'd take some convincing that you can get the discrimination right without introducing a lot of false alarms, but it won't provide any protection at all against network or malware based logging.

I foresee difficulties with anything portable (1)

gman003 (1693318) | more than 3 years ago | (#36179218)

My laptop has a fingerprint scanner. Works well enough that I usually try that first, but it fails enough that I still log in via password relatievely often.

Being a laptop, and I being a total freak, I often use my laptop in... unusual positions. Seriously, I once used it, standing on my head (leaning against a wall), holding it with one hand and typing with another. Good way to stretch without having to take a break from the Internet.

Anyways, part of that involves logging in, say, one-handed. Or with the laptop tilted at a weird angle relative to my hands. Or typing it in with the bottom of the mouse (using it like a fat ugly stylus). There is absolutely no way I'm going to trust such a system not to lock me out.

Now, I can understand using something like this on something needing absolute security. Not even bank-account level of security - I'm talking "Dead Hand activation code"-level paranoia here. An extra level of security might be useful there. But I would never use this on any computer I would have access to.


However, I do think there might be another place for these: game consoles. Unless you can use a full QWERTY keyboard on them (IIRC, you can plug a USB keyboard into the PS3, and the XBox has a tiny chiclet keyboard thing), I would prefer passwords be something like "up, up, down, down, left-B, right-A, start, start L+R". Adding some very, very loose analysis of entry timings would make that more secure. I can imagine a system like that working (provided it isn't Sony doing the implementation).

Old Research (1)

softWare3ngineer (2007302) | more than 3 years ago | (#36179238)

This is old research. I haven't read the article so they might be using a new technique, but computer scientists have been looking at this for years. the success rate is reasonably good if i remember correctly too. I think it its mostly based on time between specific key presses. I would also think this would work better when someone is 'out-of-it' as a result just waking up, or being drunk and your typing is more muscle memory than thinking.

Frozen fingers, drunk status updates (1)

NickstaDB (2006530) | more than 3 years ago | (#36179364)

Oh wow so when the weather is cold I won't be able to log in because of my cold stiff fingers that type at a fraction of the speed, possibly with increased mistakes because the up-down movement comes quicker than the left-right movement? What if I come home drunk and feel the need to post a social networking message that I'll read the next morning in horror? Wait, I guess that won't be a bad thing, increased mistake level will block me out. Winner!

Could work for Sony. (0)

Combatso (1793216) | more than 3 years ago | (#36179430)

measure how you play a game... if you make smart choices in the game, you are probably to smart to give your credit card to Sony, and therefore are not the actual account holder..

Back in the BBS days (1)

jellomizer (103300) | more than 3 years ago | (#36179564)

I remember back in those old BBS days where they had DOS Based BBS Software where when somone logged into your BBS You had a near mirror image on what the user was doing. So while they typed their password you saw their password echoed to the Sysop screen at real time. For small BBS's a SysOp knew if the user was just by watching them login. You knew by they way they typed if it was them or not.

Passwords based on shapes (1)

grapeape (137008) | more than 3 years ago | (#36179568)

Does anyone else make up passwords based on a shape or pattern on a keyboard? I got in that habit years ago, remembering them is more "muscle memory" than anything. Half of the time I couldn't even tell you what the actual letters are but can remember that its a Tree shape or fish shape, etc.

I have seen this implimented: (0)

Anonymous Coward | more than 3 years ago | (#36179578)

I used to work as an IT monkey for a financial institution. When the hammer came around for dual indentification, rather than going with some bizzarre bingo card, matching puppies together or the vast cost prohibitiveness of handing out one-time pad authenticator keys (See RSA key fobs or Blizzard Authenticators), we instead opted to match based on a form of biometrics.

Mind you this was difficult to tune well. It did exactly what this article describes. It replaced our standard text field login with a heavily obfuscated, compressed and bizarrely constructed flash entity. This flash bit took the login, but it also monitored how you type it. If you hit backspace to correct, it cleared the whole field. Yes, if you use a drastically different keyboard or you are drunk or groggy or whatever, it might trip. We had it collect this "biometric" data for nigh on a year before we turned on the blocks if something didn't match. We specifically turned the tightening up on our own accounts to test how it would react. If it fails, it would do one of two things.
1) If you were vastly out of spec, it would tell you no, and to call customer service.
2) if you were slightly out of spec, it would then have you answer secret questions and possibly trigger an out of channel auth (text message to a cell phone listed on your account, or automated voice spoken number called to your house line). If you get this all correct, you get let in, and new data is added to that accounts data pool for the "biometric" hashes of how you type for that account.

I've since left that place, but the idea was interesting and it seemed to work okay, even if it did then block out mobile checking of the site on non-Flash-Compliant phones (iDevices, Blackberry, etc) and make it more difficult on low powered devices (Android phones and old computers).

Point of Diminishing Returns (0)

Anonymous Coward | more than 3 years ago | (#36179604)

I worked for a Biometrics company back in the mid to late 90's and we had begun to implement a system based on this same concept. It was never added to our software however, due to the fact that the more closely you required the new input to match the stored baseline the less useable it became.

If you need an 80% or better match then that person had better be sitting in the same chair at the same desk on the same keyboard that they used when they set their typestyle password. If you need 90% or better then you will pretty consistantly end up locking out the user due to everything from temperature of the room to a person's mood that day.

On the other end of that, the number of false positives exponentialy increase for every percent below 80. So the more useable it is for the employee the less reliable it is for security.

Really Old News (1)

iateyourcookies (1522473) | more than 3 years ago | (#36179688)

Here's a paper on the same subject from 18 years ago, and that was just the first result I found on google scholar!

http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=256563 [ieee.org]

Obviously, there have been advances since then but this certainly isn't a new idea by any stretch of the imagination.

Sounds problematic (1)

DarkOx (621550) | more than 3 years ago | (#36179702)

So what happens when I injure a hand working on the car or something and have to do my keyboarding with only my right or only my left? I can't login?

It'll work perfectly for me, most of the time (1)

Artifex (18308) | more than 3 years ago | (#36179904)

...my password manager should fill the buffer at the same rate every time.

already implemented (1)

SteveTauber (996603) | more than 3 years ago | (#36179944)

This is old news: It's already been monetized by Gordon Ross's company: http://www.biopassword.com/keystroke_dynamics_advantages.asp [biopassword.com] - I had a chance to use this system back in 2004 and it was pretty cool. When the system is learning your password initially, you type it a handful of times so that it can average times between keystrokes. You can type "normal" or you can type at an abnormal rhythm. Your choice. Here are some other papers published a long time ago... http://portal.acm.org/citation.cfm?id=581272 [acm.org] (2002) http://portal.acm.org/citation.cfm?id=266434 [acm.org] (1997)

Keycode stream, not character stream (1)

Dr_Barnowl (709838) | more than 3 years ago | (#36179984)

I keep wanting a password input that works off a keycode stream, not a string.

That way your password could include deletions, modifier keys, and other unusual combinations. It sounds less fragile than this approach, although it might be interesting on devices with different keyboard layouts.

Old Story (1)

Kamiza Ikioi (893310) | more than 3 years ago | (#36180000)

I read about this over 10 years ago. It was the same time hand writing recognition was supposed to turn Palms into ultra-secure password verifiers, and someone said "Hey, we can do that with typing too!". It went nowhere. Anyone got a link to the old research?

This also sounds like the old program to allow the NSA to identify anonymous blog writers. But instead of typing patterns, it used words already typed patterns.

But still, this is OLD tech. Nothing new to see, move along.

Not an entirely new idea... (3, Interesting)

SirNAOF (142265) | more than 3 years ago | (#36180006)

I reviewed a company's offering a few years ago that was recording the relative timing between keystrokes when you entered a password. Any subsequent attempts had to match that relative pattern in order to be verified.

It failed miserably.

I had a demo with the company. They showed me a nice fake online banking login screen. They then told me the name and password and said "Go ahead and try to login." I did so. And it let me right in. The woman giving the demo couldn't believe it. I took a screenshot and sent it to her as verification. Sure enough, their system did not stop me from logging in.

So she reset the password to something else, ran through a couple of calibration runs to make sure she could login, and then again gave me the password. I once again logged in immediately.

Once more she changed the password, and again asked me to try it. I couldn't login. So I tried a few more times, and on the third try I was once again staring at fake bank accounts.

I realized two things from this demo. First, its easily breakable by a human with comparable typing skills to the victim when the password is known. Second, the only thing this (particular product) could defeat was an automated system attempting to login. ...I don't think that review ever got published...

One handed (2)

WDancer (1201777) | more than 3 years ago | (#36180070)

I was just thinking about this the other day when I needed to log into a computer at work while I was holding a part I wanted to look up in our system. I heard about password systems using pattern logging a while ago and thought it would be ridiculous in the real world. On a similar note, I had an uncle that retired from a workplace that had fingerprint, voiceprint, and a weight scanner to get into work. He said if you had a cold or gained or lost more than 5 pounds you had to be escorted to the security office and have your identity verified before they would let you in. Some security measures are just too odd. (A scale? WTF?)

Behind some crappy paywall? (1)

dhj (110274) | more than 3 years ago | (#36180366)

Seriously? ... Let me be the first to welcome you to the world of academic journals.

This is nothing new (1)

LilGuy (150110) | more than 3 years ago | (#36180372)

I remember reading a story about this back around the time I first created my slashdot account some 13+ years ago. I remember people saying it was a nice idea but in practice it was unworkable for various obvious reasons including hand injuries, differing keyboards, and environmental distractions.

Seriously, this is "new" research? (0)

Anonymous Coward | more than 3 years ago | (#36180608)

This is old enough that there are established commercial vendors doing it. Just goes to show you - obscure universities in 3rd world countries only do - at best - derivative work.

Here's an example company that's been selling this sort of solution commercially for years:

    http://www.biopassword.com/ [biopassword.com]

Previous Work in this Area (0)

Anonymous Coward | more than 3 years ago | (#36180618)

I'd like to see a full copy of the paper to see how it improves on this work:
"Authentication via Keystroke Dynamics" (1997)
by
Fabian Monrose
and
Aviel Rubin

Only slightly related (0)

Anonymous Coward | more than 3 years ago | (#36180754)

My strongest password is 30 characters with all the bells and whistles (i.e. upper, lower, special, number, letter, virtually random, not written down anywhere, no hints or alternate methods for recovery -- at least not without knowing the password). How difficult would it be to "brute force" hack this (i.e. without using a key logger or working around it)? What about with the fastest computers available to human kind? Is it something I can keep in good confidence without changing for years or should I change it every couple of months, as with weaker passwords? I don't NEED to know this necessarily, as the password is probably unnecessary for what I have worth protecting, which is basically a gmail account that fills up with travelocity, viagra, and penis enlargement ads (no comments about what this must say of my browsing history please -- I'm just a curious person, what can I say, and besides, it's private alright!). Just wondering. Thanks.

That would kill my best posts... (1)

frank_adrian314159 (469671) | more than 3 years ago | (#36180872)

... as most of them are made when I'm drunk...

Not New (1)

AJH16 (940784) | more than 3 years ago | (#36180956)

I read about this years ago. How is this news? It's a cool idea that I find works well in some situations, but you wouldn't want to use it everywhere. I do think it is a cool technology though.

nothing new under the sun (0)

Anonymous Coward | more than 3 years ago | (#36181034)

Episode 9 of 'Welcome to Paradox' (http://en.wikipedia.org/wiki/List_of_Welcome_to_Paradox_episodes) is based upon a story by David Ira Cleary, "All Our Sins Forgotten".

In the written story, a mistake in details of a password entry causes the breakdown of the main character's lifestyle, with tragic results.

Dave published that in 1989 (http://www.locusmag.com/index/s146.htm) - I think that counts as prior art...

old tech (0)

Anonymous Coward | more than 3 years ago | (#36181094)

I talked to someone in the 80's who said that he bought a program and the patent for this type of technology from grad students at Stanford University. This is not new.

Forgot password (1)

drb226 (1938360) | more than 3 years ago | (#36181230)

This gives "forgot password" a whole new meaning. "Oops, now which password did I use for this site again? And with what rhythm did I type it?"
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...