Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Using Password "Keyprints" as Another Form of Authentication?

Cliff posted more than 11 years ago | from the constructive-criticism-for-an-interesting-idea dept.

Security 100

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"

Sorry! There are no comments related to the filter you selected.

Yes it is (3, Funny)

NiceGeek (126629) | more than 11 years ago | (#6005327)

Give me your password and I'll prove it. :)

A patent? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6005329)

I have written two programs with patents on both.

Well, this is Slashdot, the "patent is evil"-center of the planet.

Won't stop advanced key-capturing programs (1, Interesting)

Anonymous Coward | more than 11 years ago | (#6005331)

They'll just record the way you type your password and play it back when necessary.

May be defeated if password is keylogged (3, Insightful)

Vendekkai (121853) | more than 11 years ago | (#6005345)

While this adds an extra level of protection, how about a case where the user password is picked up by a keypress logger? In that case, the timings can be logged too, and it would be a simple matter of repeating those timings with a program to log in.

Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.

Re:May be defeated if password is keylogged (3, Insightful)

Surye (580125) | more than 11 years ago | (#6005366)

Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence. This will be a huge problem for you, as when you "learn" your password better, you type it out faster. You'd have to apply this at "critical level of ...remeberance(I know, not a word =P), and that would cause implimentation to be horrible.

Re:May be defeated if password is keylogged (1)

unitron (5733) | more than 11 years ago | (#6012809)

...remeberance(I know, not a word =P)

True. However remembrance is, and no doubt that was the word which you intended. See, your vocabulary is bigger than you thought.

Re:May be defeated if password is keylogged (1)

fstanchina (564024) | more than 11 years ago | (#6040484)

Just use statistics from the last 20 or so successful logins. This would solve the problem at hand, and it would also make the acceptable timings tighter and tighter as you learn how to type the password almost without thinking.

Of course I claim the patent on this enhancement. ;)

Re:May be defeated if password is keylogged (1)

ealar dlanvuli (523604) | more than 11 years ago | (#6042097)

Even better, do an exponential average of all logins, so slight drift is possible - but if you cut your left pinky one week and typed slowly for 2-3 days it wouldn't swing the average nearly as far.

Re:May be defeated if password is keylogged (1)

zmotula (663798) | more than 11 years ago | (#6005407)

Once I thought about implementing something like this. Instead of learning the password keyprint by fixed number of attempts, I thought about continuous learning --- the login box would just keep a database of all your login keyprints (not validating them) and once you get used to your password, the differences between successive keyprints would cross some given epsilon, turning on the keyprint checking.

Re:May be defeated if password is keylogged (0)

Anonymous Coward | more than 11 years ago | (#6005529)

>I thought about continuous learning
WOW...Ingenious, a couple of super computers running ANNs and a big database to store the patters.. the system should be able to log you in.. about, say,... an hour

Re:May be defeated if password is keylogged (1)

zmotula (663798) | more than 11 years ago | (#6005640)

The keyprint is an vector of doubles, computing difference between vectors is a breeze and just last few vectors can be used to determine the used-to-the-password status. No rocket science.

Re:May be defeated if password is keylogged (0)

Anonymous Coward | more than 11 years ago | (#6009656)

Cha-ching! Ha ha, see if you can beat me to the patent office, sucker.

Re:May be defeated if password is keylogged (1)

RevDobbs (313888) | more than 11 years ago | (#6016958)

Once I thought about implementing something like this.

Cool, I'll send you a licencing agreement, or my IP lawyer, whichever you prefer.

Sorry to burst your bubble (5, Informative)

droyad (412569) | more than 11 years ago | (#6005346)

Re:Sorry to burst your bubble (2, Interesting)

Rxke (644923) | more than 11 years ago | (#6005409)

Yea, this has been common knowledge for eons. i remember writing sumtin similar in BASIC on a crappy 64k amstrad to protect my programtapes...Back in the 80's. Even then we geeks (2 on the whole school, called us the freak brothers...) had read about things like that in magazines, so, old hat.

Re:Sorry to burst your bubble (2, Funny)

jsse (254124) | more than 11 years ago | (#6005503)

Prior art is irrelevent [uspto.gov] in getting patents from USPTO. :)

Re:Sorry to burst your bubble (3, Insightful)

WasterDave (20047) | more than 11 years ago | (#6005519)

Sure, but it is relevant for enforcing them. Presumably that's the point?

Dave

Re:Sorry to burst your bubble (2)

KyleCordes (10679) | more than 11 years ago | (#6007049)

Not always; there can be a lot of value in an unenforcable patent, to create a chilling effect on competitors, especially the smaller ones. That's because noone really knows if it's enforcable until someone can afford to spend a hefty sum on litigation to find out.

Re:Sorry to burst your bubble (1)

SeanAhern (25764) | more than 11 years ago | (#6011271)

Uh, that patent looks pretty darn specific to me. It talks about specific shaped connectors, how wind drag affects certain-shaped spokes, their specific shape, etc. It looks like a non-obvious specific solution to a general problem. And there is a drawing of a particular implementation. It is not a generic patent for "spoked wheels", which is what I infer you meant by saying that the existence of prior art had no bearing on this particular patent.

Unless you're seeing something I'm not seeing...

I nearly did this project at uni (1)

lonely (32990) | more than 11 years ago | (#6005701)

Hi,

I actually tried to do this in a java applet for the second year project at reading university in 1995. But my neural networks teacher said that it had been done years before and we had to do someting inovative.

Shame I have no docs to prove it!

Yes, patent my arse, indeed! (0)

Anonymous Coward | more than 11 years ago | (#6006047)

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. (...)"

Droyad is right of course. (Please mod parent up.) Well, Adam, I'm terribly sorry to prove your incompetence, pal, but patents have to be not only innovative (i.e. NO prior art), but also non-trivial for crying out loud! I have written a program doing exactly what your first program does, when I was twelve years old, for God's sake! This program recorded typed messages and later displayed them exactly how they were being written, storing intervals in miliseconds between every typed character and control key. And now, sixteen years later, you are saying this is oh-so-innovative and non-trivial, that you patent it? What the fuck were you smoking, man?! Please take no offence, but I am forced to question your doubtful intelligence. Meanwhile please do try not to overdose crack ever again. Thank you.

Re:Yes, patent my arse, indeed! (0)

Anonymous Coward | more than 11 years ago | (#6007977)

Well, Adam, I'm terribly sorry to prove your incompetence, pal, but patents have to be not only innovative (i.e. NO prior art), but also non-trivial for crying out loud! I have written a program doing exactly what your first program does, when I was twelve years old, for God's sake! This program recorded typed messages and later displayed them exactly how they were being written, storing intervals in miliseconds between every typed character and control key. And now, sixteen years later, you are saying this is oh-so-innovative and non-trivial, that you patent it?

And you, "pal", obviously know fuck all about Patent Law.

The patent in this case will focus on using the data for computer security purposes, much the same way as the fact that everyone has unique retina patterns but to capture that data and use it as a biometric authentication mechanism is worthy of a patent.

Re:Yes, patent my arse, indeed! (0)

Anonymous Coward | more than 11 years ago | (#6012142)

The patent in this case will focus

I thought the question poster HAD 2 patents?!

That's what, like 12 grand wasted? 6 grand a patent on average here in the USA.

Re:Sorry to burst your bubble (1)

blue_cobalt (674326) | more than 11 years ago | (#6006106)

Even better, I think there's a James Bond book (Dr No?) where the Secret Service use the same thing, but for morse keying. And that was the early 60's!

Re:Sorry to burst your bubble (1)

bobthemonkey13 (215219) | more than 11 years ago | (#6010981)

Neal Stephenson mentioned this in _Cryptonomicon_: at one point in the book, the British spoof a message to appear to be from a German submarine by imitating the "fist" of the sub's communications officer. I have no idea if this kind of thing really happened, but it seems plausible.

Re:Sorry to burst your bubble (1)

unitron (5733) | more than 11 years ago | (#6012830)

Telegraph operators have been able to tell which of their fellow operators was at the key practically ever since the invention of the telegraph. Sort of like no two piano players sound exactly the same even though playing the same sheet of music.

Re:Sorry to burst your bubble (0)

Anonymous Coward | more than 11 years ago | (#6046990)

I believe "The Adolescence of P-1" also used the technique over 20 years ago. Although there no password was used -- the computer merely recognized who was typing based on their patterns. Or was that in "The Moon Is A Harsh Mistress"?.

Actually done on the Apple ][ (1)

acomj (20611) | more than 11 years ago | (#6009960)

I found a program that did this in nibble. It was early 80s. I used it as protection on my disc. Its really annoying to have your password rejected when you've typed it correcty..

Sounds good (1)

Tyreth (523822) | more than 11 years ago | (#6005358)

Will be great for a lone ranger, but sometimes certain passwords need to be shared and this would eliminate it. Unless, at the time the password is shared, you measure timing for that new user as well - but each successive time would weaken the strength of this new layer of security.

Not much of a problem though. Sounds good to me in some ways.

Re:Sounds good (1)

SwellJoe (100612) | more than 11 years ago | (#6005777)

When would you ever need to share a password? (Don't answer that...The answer is never.) Groups are for working with teams. SetGID bits are for working with teams. Sharing passwords is the bizarre action of someone who doesn't know better.

Re:Sounds good (3, Interesting)

perljon (530156) | more than 11 years ago | (#6006085)

And maybe you don't want to use this for authentication, but it could set off bells and whistles so that an admin could look into the security violations. You could find out exactly when someone decided to share their password. Then you could walk up to their desk in a black suite and sun glasses, and remind them that they are not supposed to share their password, and that it's been changed.

This would also be a good measurement for hacker detection. If you keep a history of the password key stroke timing, and all of a sudden a seperate set of timings start to appear, you can start to look for other differences in the logins patterns. Finally, you could use this to see who is logging into root directly. Bad! Bad! Bad Boy!

Re:Sounds good (1)

glsunder (241984) | more than 11 years ago | (#6008600)

I wouldn't think of this as a patentable idea on it's own and I swear I've read about the idea before several other places (probably /.), but it could be useful in an IDS, simply notifying the admin of a suspicious login. It could also be added to a login system that combined passwords with other imperfect ID checks like facial recognition.

Re:Sounds good (2, Funny)

edwazere (87203) | more than 11 years ago | (#6014059)

Then you could walk up to their desk in a black suite...
I read this and had a strange image of a sofa and 2 chairs turning up at my desk... Maybe that's the lack of coffee this morning.

Re:Sounds good (0)

Anonymous Coward | more than 11 years ago | (#6007280)

maybe on your "server" (aka e-Machines running gentoo) you only have one user per account (and only one account -- "root"), but there are valid reasons to have multiple users per account.

Re:Sounds good (1)

Hank Reardon (534417) | more than 11 years ago | (#6009249)

When would you ever need to share a password? (Don't answer that...The answer is never.)
You share passwords when it's forced upon you by an outside entity. For example, a website may charge for access and the company uses a single account for multiple users. I believe some section of Oracle used to (and possibly still does) use per company or per version accounts.

"Never" is a word to stay away from when things are not 100% in control. How often have things been 100% in my control, you ask?

Why, never! :)

91% success means 9% failure (3, Insightful)

porksodas (515690) | more than 11 years ago | (#6005363)

91% of the time you enter the password my values captured matched each letter entry and the time between letters entered.

I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.

Re:91% success means 9% failure (1)

Sentry21 (8183) | more than 11 years ago | (#6008761)

I don't know about you, but every password I have, I have to re-type one time in ten anyway, because of mis=hits, double lettters, lrunpstf=djogy*, or whatever else. This goes too for most people I know. Heck, half the users I know forget their username anyway.

Still, I think this would be an interesting idea, as long as it re-learned as time went on (people get faster at typing their password - and what about when passwords change? There are several trivial but important issues. Still, a cool idea. I wish I could implement it on my systems, just for fun.

--Dan

* keyboard-shift

Re:91% success means 9% failure (1)

keller (267973) | more than 11 years ago | (#6013964)

But this will just add to the times you have to retype. The password has to be correctly typed, and correctly timed. So it would be an inconvenience. Also when re-typing a password, the timing is often different because you want to get it right this time, and therefore focus more on each key.

All in all it is bound to have a higher re-type rate than normal passwords, but it might still have application in areas where emphasis is more on security and less on speed...

No patents (5, Interesting)

Roto-Rooter Man (520267) | more than 11 years ago | (#6005370)

This guy has no patents. [uspto.gov] He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?

Re:No patents (3, Funny)

Steve Cox (207680) | more than 11 years ago | (#6005639)

Actually I think it was a misspelling. He wrote two programs with patterns on them.

The first one has a nice plaid pattern, wheras the second one (and this is the clever bit) has a striking blue and green pattern on it.

Steve.

Re:No patents (1)

unitron (5733) | more than 11 years ago | (#6012850)

"The first one has a nice plaid pattern, wheras the second one (and this is the clever bit) has a striking blue and green pattern on it."

Somewhere there's bound to be a Scottish clan or two with prior art on that.

Re:No patents (1)

ralphclark (11346) | more than 11 years ago | (#6005674)

Presumably he has filed with the patent office but no patent has been granted yet. However his idea would still be protected should anyone else try to file an application covering the same idea.

Re:No patents (1)

klmth (451037) | more than 11 years ago | (#6005899)

Wouldn't it still show as a patent pending?

Re:No patents (1)

gl4ss (559668) | more than 11 years ago | (#6005920)

no.

you know, theres things called submarine patents some devious companies can file, and then try to everyone get to use the already patented tech(whilst they don't know the company has patents on them) and then profit from this.

this timing method however has very few uses, but very good uses those few are, for example for vaults or similar.

THIS IS A HOAX YOU MORONS! (0)

Anonymous Coward | more than 11 years ago | (#6006100)

Presumably he has filed with the patent office but no patent has been granted yet.

Presumably he has filed my arse! This guy is a crackpot! Do a little Google search [google.com] and you'll know for yourself. Excuse me, but does this sound like someone who has got IQ higher than 20?

Adam Kiger asks: "I have written two programs with patents on both. (...) So I've come to ask Slashdot: Is this a viable security function?"

Think, people, THINK! What the hell happened to smart people on /.? Are we already outnumbered by morons? I guess it's time to move to k5... *sigh*

Re:THIS IS A HOAX YOU MORONS! (1)

Valdez (125966) | more than 11 years ago | (#6011398)

A Google search? If that's how you determine prior art and the veracity of a claim, I wouldn't be surprised if you actually worked for the patent office yourself.

Patent Officer #1: "How'd the Google search turn out?"
Patent Officer #2: "Well, I searched on his name and didn't find any web pages talking about this idea, so it must be new!"
Patent Officer #1: "Great! I'll notify Mr. Bezos of his new patent!"

Have you ever considered that not evryone who has a idea first creates a website about it... and if they did have a website they might not provide a link to /.?

Re:No patents (1)

oliverthered (187439) | more than 11 years ago | (#6007945)

Good, that was one of the first programmes I ever wrote for the PC, a bastard long time ago.

My thoughts were to continuisly monitor things like spelling mistakes and typo's as well as keypresses: 10Mins of odd activity and the PC questions the identity of the operator.

This is find, untill you injure yourself and don't type quite the same.

Re:No patents (1)

bestguruever (666273) | more than 11 years ago | (#6055931)

or have a few beers ... or attempt to code your first asm program ...

Re:No patents (1)

bergeron76 (176351) | more than 11 years ago | (#6012418)

I agree with this. Based on the prior art that was mentioned previously in this post (a few threads above at the moment). I highly doubt that the USPTO (I'm assuming) would issue a patent for this technology, or that one hasn't been issued already. If the poster has the patents he mentions, he could post links to them to establish credibility (since they're already "patented", his IP is safe).

If he doesn't have patents, though, let's not burst his bubble on being creative and inventing. Let's just call him out on questionable material.

As an inventor myself (with 0 successful patents to date), I can attest to the difficulty of obtaining a valid [US] patent. I find these patents highly questionable.

Hopefully, the poster will prove us both wrong...

Re:No patents (1)

prowley (587280) | more than 11 years ago | (#6019539)

If he is for real, he probably means he has applied for patents. FYI the USPTO have both an issues and an application database [uspto.gov] and trust me when I say, it takes years to even have applications turn up in the DB - I have some patents that were applied for 3+ years ago that still have not made it (and no, I am not patent protagonist, but my employer is). Additionally, when they DO show up in that DB, they show the date on which they got entered NOT the application date, which is the one that counts.

Ouch! I njust bnanged my finger! (5, Interesting)

orthogonal (588627) | more than 11 years ago | (#6005450)

This does add another layer of protection, but it has some drawbnacks.

I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.

I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.

What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?) .

Even worse, what if I innnjure my finger or hand (yeah, it's /., I know the njokes I've set myself up for)? Will I nbe able to log in at all?

With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.

However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.

This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.

Re:Ouch! I njust bnanged my finger! (1)

CompVisGuy (587118) | more than 11 years ago | (#6006664)

I admit you have a point which is valid for people logging into home computers.

However, in an organisation with sys admins, it would be trivial to go to a sys admin and tell them you have an injury which means you can't log in; they can then just reset your keyprint timings -- you just re-train the system and off you go again.

A useful modificationto the system would be to have it do online learning: i.e. the keyprint timings are not learned from a batch of N sample logins, but the classifier is trained on the *last* N *successful* logins. This means that the system would adapt as your typing changes.

I do have one concern, though. Computer users who are not particularly IT literate usually type with just one or two fingers in a regular STAB-STAB-STAB rhythm. They are also less likely to use secure passwords and more likely to share them with friends/colleagues. In such a situation, I think the keyprint system would not improve security appreciably.

What we really need is a way to keep data secure without relying on people following security practices which they are usually ill-informed about. Although the keyprint idea is good, I think more robust methods could be used.

Re:Ouch! I njust bnanged my finger! (1)

jmauro (32523) | more than 11 years ago | (#6020313)

Nice idea on learning, but some injuries are rather sudden. I broke my collarbone and it instantly changed my typing style. I doubt any system could learn that quickly. (and if it learns it may learn to do the wrong thing.)

It works well (4, Informative)

Pathwalker (103) | more than 11 years ago | (#6005456)

What you are describing sounds like one of the most basic techniques for biometric authentication. I remember being assigned to write programs to do what you describe for a class several years ago. It was one of the easier assignments we had.

If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society [amazon.com] , and anything else on the subject written or edited by Anil Jain [amazon.com] .
(His webpage is here [msu.edu] , the webpage of his lab is here [msu.edu] ).

Dr. Jain is (IMHO) the current leader in biometric research worldwide.

Grrrr.......... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6005538)

>I used my wife as a test subject
what do you take us wives for... Lab rats????

It may not be secure. (1)

torpor (458) | more than 11 years ago | (#6005589)

But it could be used for musical applications.

Plenty of prior art in this area though, I'm afraid ...

Some users will have severe problems with this (1)

Lars Arvestad (5049) | more than 11 years ago | (#6005631)

I think this should be researched with other people than yourself and your wife... Some will have a far worse success rate than 91%. Whenever I watch my dad punch in a password, it is as he has never seen the keys before. I am pretty sure that this idea would make him really frustrated.

Personally, I am really used to punch in my password(s) and I would not be surprised if other could imitate me simply by trying to input it very efficiently. I guess I would be able to obfuscate my password with some pauses, but I would probably make it more difficult for myself to get it right in the process.

But more research on this would be fun to see.

Re:Some users will have severe problems with this (2, Funny)

jonadab (583620) | more than 11 years ago | (#6007725)

> Personally, I am really used to punch in my password(s) and I
> would not be surprised if other could imitate me simply by trying
> to input it very efficiently.

Me too, _except_ that I use a modified keyboard layout, which makes
certain things take different amounts of time than usual. (For
example, switching between upper and lower case is faster, because
shift is under a home position on my layout. OTOH, k is rather
out of the way and generates an extra pause before or after.)

I still prefer the long-nasty-password approach. Use a password
like cEveNaughtDiVulge-canceroussGRANDpapy;rot14impreSS ionismmxi
(not my real password, of course), type it fast, and nothing but
a sniffer is going to compromise it. Yet something like that is
only barely more difficult to memorise than something traditional
like Rx7QvGOc0b. (You remember, "seven naught divulge cancerous
grandpappy rot14 impressionism xi", eight words (except rot14,
which is easy to remember because it's one more than Caesar), but
then you make minor tweaks such as elided and doubled letters and
case shifts, which your muscle memory will do for you automatically
after a dozen times typing it.)

Re:Some users will have severe problems with this (1)

nomel (244635) | more than 11 years ago | (#6009279)

what is the layout called that your using?

Re:Some users will have severe problems with this (1)

jonadab (583620) | more than 11 years ago | (#6014142)

> what is the layout called that your using?

I call it "Jonadabian". It's a custom layout of
my own design. I have an Avant keyboard, so I
can put any key in any position I want.

My layout is based on QWERTY, but there are some
quite important differences. Most notably, I
have shift and control under the home positions
of my left and right pinkies (respectively) so
that I don't have to hyperextend my pinkies every
two seconds. My pinkies used to hurt after a few
hours of using the computer, and now they don't.

Overall, I don't think my layout leads to more
words per minute than QWERTY (at least, not
significantly more), but I like that my pinkies
don't hurt, so I'm keeping it :-)

Here are my changes from QWERTY:
Where a normally goes is left shift.
Where ; normally goes is right ctrl.
Where left shift and capslock normally go are
both k. There is no capslock. I never use it.
Where left win/meta normally goes is [{,
and to the right of the spacebar is ]}
To the right of p is ;
Where right shift normally goes is an
extra |\ key.
Where numlock normally goes is nothing; there
is no numlock. Numlock is permanently off.
The bottom 4 function keys on the left side
(F7-F10) are shift. (This is mostly to prevent
hitting them by mistake.) The top two are the
left window/meta key (which I do need, but I
wanted it out of the way where I won't hit it
by mistake) and the menu key. (The function
keys along the top row are normal.)

There might be a couple of other changes, but
that's most of them at this point. I may make
additional improvements from time to time as I
think of ways to improve things.

Re:Some users will have severe problems with this (0)

Anonymous Coward | more than 11 years ago | (#6013335)

Si hoc legere scis nimium eruditionis habes.

So that's your password right?

No free consultation for you. (4, Insightful)

Chilles (79797) | more than 11 years ago | (#6005755)

Please, open your source and throw your patents in the public domain. As soon as you do that I'll be more than happy to evaluate your system. Right now, my only incline is to look for prior art. (which I'm pretty sure exists).

User Auditing (2, Interesting)

clambake (37702) | more than 11 years ago | (#6005760)

Instead of denying access when someone's keypressed don't match, which is a perfectly possible thing that could happen in a number of situations, just use the keypress score to alter how the system audits the user's actions. If he's under the threshhold, you can send a page to your beeper, just notifying that it happened, if he's way off, then grant him only basic privledges, no root, but if he's only a little off then let him have normal access, but turn the logging on for every action he does. Most of the time he won't be an intruder, just someone who was a little sleepy that morning, but when it is an intruder, you'll be able to watch more closely and roll back any changes he makes.

yes, but... (2, Funny)

i chose quality (413813) | more than 11 years ago | (#6005764)

... not for joe l. user! try to imagine explaining grandma why she can't log in to her windows me - box with the same password she used yesterday...

or was it last week?

mortimer! how did you type 'depression' again? with a coffee break between the 'p' and the 'r'?? ;)

double security! (0)

anythings-possible-b (661958) | more than 11 years ago | (#6005926)

17:31 21/5/2546

TOPIC: security

great idea!

i wish they would put this technology into cars! so if you drunk or druged or whatever (not fit to drive) you just can't open the car door or start the engine *g*.
oh, and i agreed "patends are evil".
and then there are taperecorders and microphones ...

Absolutely!! (1)

icemax (565022) | more than 11 years ago | (#6006082)

Damn, I had thought of this many years ago but discarded it as a novelty. Good job!

On a side note, this will help keep me off my computer while drunk too!!

Great idea.. (0)

tka (548076) | more than 11 years ago | (#6006089)

..but doesn't work completely as previous posts has pointed out.

I think that it would be better to use a camera and iris authentication but dont let anyone to get a closeup picture of you.. ;)

DUMBASS ALERT! (0)

Anonymous Coward | more than 11 years ago | (#6006183)

This is a BAD THING! I have a keyboard where the 'f' key sometimes sticks, sometimes works slowly, and sometimes is fine. Different keyboards have different rates of key-up/key-down, as well as resistance and just tactile sensations. If you're *that* bloody worried about security, buy a darn fingerprint scanner - they're about 150 euro now, right?

20 values (4, Informative)

cgenman (325138) | more than 11 years ago | (#6006716)

Why derive your key from the first 20 imputs? Why not continually re-derive the key from the last 20 imputs, to allow for typestyle drift over time?

-C

Re:20 values (1)

mivok (621790) | more than 11 years ago | (#6008666)

Umm.. cos then Mr cracker comes in, types the password 20 times, and now the original user cant get in.

And it would be a little pointless to only allow the past 20 _successful_ inputs, because they would all match the original fingerprint and no drift would occur.

Re:20 values (1)

cicadia (231571) | more than 11 years ago | (#6009265)

And it would be a little pointless to only allow the past 20 _successful_ inputs, because they would all match the original fingerprint and no drift would occur.

To millisecond accuracy? I don't think so. The verification algorithm has to accept each correct keypress within some margin of error; they won't all be exactly the same. Then the last 20 successful samples can be averaged and used as the baseline for new verifications each time.

Mr. Cracker either doesn't know the correct keys, or will be so far off-base with regard to keystroke timing, that his attempts will not be successful, not be included in the average, and so not be able to skew the baseline.

Re:20 values (1)

prowley (587280) | more than 11 years ago | (#6019620)

Mr Cracker, young as he is, remebers reading about some ancient l33wt hacker tricks. His hacker buddies stand back in awe as he... Changes the password without typing anything 20 times.

If they have physical access you're screwed anyway (1)

User 956 (568564) | more than 11 years ago | (#6030112)

remebers reading about some ancient l33wt hacker tricks. His hacker buddies stand back in awe as he... Changes the password without typing anything 20 times.

Yeah, I remember that trick. It's called a boot disk [lostpassword.com] .

I'm not sure if boot disks are "l33wt", but I know that if anyone has physical access to your machine, they can access your machine. This keystroke monitoring program is silly.

New keyboard (1)

Asgard (60200) | more than 11 years ago | (#6007196)

What about when the user siets down at a different type of keyboard; ie normal vs 'natural'?

patents? (0)

Anonymous Coward | more than 11 years ago | (#6007240)

You didn;t do enough research. I remember reading about using type-speed as a secondary authentication system in lay journals (popular science, and Byte) back in the early 90s.


I don't always type my password at the same speed (i've got good finger memory, so i can type it fast, but i sometimes need to delete a letter or 2 :). If i mistype it (at a high speed) the first 2 times, I will type at a low speed the third time.

Won't work worth shite... (1)

jo42 (227475) | more than 11 years ago | (#6007265)

You should have of done a study to see how often people type things the same way. Me, I'm a spaz and never type things the same way all the time. Especially when changing keyboards, machines, chairs, etc.

Try again...

Arthritis (3, Interesting)

Deanasc (201050) | more than 11 years ago | (#6007380)

I have arthritis. Some day's are good. Some days are bad. Mostly it's in my knees and elbows. Lately it's been creeping into my knuckles. Now before I start yelling at the clouds like Grampa Simpson let me get to the point. The typing I can do today is probably not going to be the typing I do tomorrow. I see this as nothing but a bad idea. I don't want to be locked out because I've run out of Motrin.

Prior art - TI-99/4a (0)

Anonymous Coward | more than 11 years ago | (#6007388)

Gee, a patent.

Those in Australia will remember a TV show called 'Towards 2000', later 'Beyond 2000' for obvious reasons.

Anyway, one episode featured just that. I was so inspired I implemented it in Extended Basic (woohoo) on my TI-99/4a.

Hang around and I'll post the source code... or would you like to sue me first?

serious question (1)

Unknown Poltroon (31628) | more than 11 years ago | (#6007498)

What about when im drunk? Or injure one hand? Or havent had coffee yet. Or need a co-worker to login as me?

Re:serious question (1)

kherr (602366) | more than 11 years ago | (#6007647)

I implemented this exact thing on Mac OS in the 1980s and we did the "what if you're drunk" test. You can't log in. In fact, being hung over or sick can also screw up the timing. Tuning it to find the acceptable threshhold of pickiness is tricky.

I think it's not a bad idea, because it's based both on biometrics and something changeable (password). Any system based purely on biometrics does not allow for altering of the access "code" if it gets compromised.

Not if it's patented... (1)

sudog (101964) | more than 11 years ago | (#6007606)

...bzzzt, try again. No one will adopt it until you can offer a permanent irrevocable guarantee that you'll grant royalty-free access to the patents.

Otherwise, you're just another schmoe who thinks he's come up with something unique.

Re:Not if it's patented... (0)

Anonymous Coward | more than 11 years ago | (#6007898)

wtf are you babbling about? yer a friggin moron. people adopt all sorts of things without "a permanent irrevocable guarantee" of anything. don't you read the whining on /. man? if what you say is true then there would be no need for DMCA, etc

Input locality... Local or Remote (2, Informative)

runswithd6s (65165) | more than 11 years ago | (#6007760)

This type of biometric measurement, bogus patent claim excluding, can be useful. It is limited, however, to how the input is collected. For local machine access, it is possible, given that the OS allows access to the input device. Remote access, however, is another beast altogether. If we were to limit the use of this biometric to simple 100BaseT full duplex ethernet LANS, and if you allow for a larger standard deviation of timing, there are only a few communication protocols that you could use this test on.

Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.

SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.

Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.

So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.

Keylogging still breaks it. (1)

dasunt (249686) | more than 11 years ago | (#6008200)

I was one of my super-paranoid thought paths the other day, and ended up trying to think of a way to restrict access.

Passwords are vulnerable to keylogging and snooping, your method would require that the keylogging/snooper timed the keystrokes - definately in the realm of possibility. Some sort of combined graphical/mouse/keyboard login would be more difficult, but snooping/screen captures/Van Eck freaking would do the trick. Biological measures would also be difficult, since you can be coerced into accessing the machine.

In the end, probably the best way of doing it that I could come up with was to use a laptop (integrated design makes hardware screen capture/ key logging harder, and I'm under the [possibly mistaken] impression that Van Eck's freaking would be harder with a LCD display then a CRT display), use a non-writeable boot CD and keep all data on an USB keydrive, mounted noexec. No network connection, and some sort of combined graphical/keyboard login. Then always carry a method of quickly destroying the USB keydrive. (Thermite would be a dramatic, but quick way of doing it.)

Of course, this is far from perfect, since there is always the possibility of being drugged through food/environment, then being interrogated with the USB drive out of your possession, until they have your password.

Re:Keylogging still breaks it. (1)

Zaffle (13798) | more than 11 years ago | (#6013680)

Van Eck's freaking is still possible with an LCD display. Its to do with the rythmic timing of a PC. Its easy to spot the 70Hz (60, 80, whatever) of your monitor. Your LCD also refreshes. There is the writes to the video memory, etc.
I suppose you could say its more difficult, but compared to actually doing Van Eck freaking in the first place, its only marginally more difficult. If you can freak VDUs, you can freak LCDs.

As for the initial problem of restricting access. If you want to ensure that nobody can be coereced into authenticating, then you'll need more than one person. preferably a commity of 11 people who hate each other. If you put a gun to my head, I'll give you all the passwords i know. So lets say I'm a good employee, and won't give out the passwords/authenticate under the threat of death, what about threatning someone I know, or love.

If humans are responsible for authenticating, then another human will be able to coerce the first one into giving access. This is why good safes and bank vaults are on a time delay. It doesn't matter how many passwords you know, the vault will still take 30 minutes to open from the time you enter the right code. The assumption being that 30 mins is a) enough time for the cops to get there, and b) that the criminals want to avoid a standoff with the cops.

Want to make a totally secure server? turn it off, bury it in concrete, and under a mountain, make sure you are the only one who knows where it is, then shoot yourself. Seriously, you can't make something that will give access only under certain circumstances, there will always be ways around it. This is why security is made up many levels.

Ok, so lets assume that you just want a system that only YOU can access, and only if you choose (and assuming you can make a valid choice with a gun to your head). Well, first we'll encrypt everything with some pretty good encryptiong. Thats the easy part done. Now you have a key. How to decrypt the data, with the key, without exposing the data, or the key, to any other party (call them "Eve") who are listening in.

You can't.

Take a look behind you...
At that wall over there.
Yes, that one.
See that black spot?
No, not that one, the other one...
Yes... how do you know its not a camera, recording everything you see and do?

Ok, so lets put the screen inside googles that you wear.. whoops, how do we know that noone has tampered with the googles, or that they are Van Eck'ing the googles.

Its impossible. If you come up with some solution that is very very very good, then come talk to the CIA, they'll have a job for you. If you can come up with a way around it, you'll be able to get two pay checks, the other from the NSA.

In the end its about risk-management.
What will it cost me, or you, if whatever method I use, fails?
How much money does my adversary have?
How much money does the solution cost?
Now balance those.
If the risk is you goto jail. And you figure you can buy your way out of jail for say $20millon, and the protection will protect you for $10 million, but it'll cost $30 million to by pass, and your adversary only have $5, then you should use the solution. But if you adversary can bypass it, then you may aswell just save $20million for the times you get caught, and stick with something simple.

New password probs (1)

YrWrstNtmr (564987) | more than 11 years ago | (#6009888)

As a password ages, finger familiarity increases. You type that sequence faster than the 1st few times. Especially if it is a strong pw, and not a standard word.

At some point, you have to reset the timing. Say every n logons. But at that point, a cracker could reset the timming for you...:)

Re:New password probs (1)

keller (267973) | more than 11 years ago | (#6013977)

Just make it adaptive, and make it depend on the last n times of entereing the pw. Timing cannot be reset by cracker unless the pw is already broken...

Sheesh (1)

nixman99 (518480) | more than 11 years ago | (#6010252)

You can pay to get two patents but can't spring for a couple of keyboards?

You are not everyone (2, Interesting)

KurdtX (207196) | more than 11 years ago | (#6012179)


This is very typical of very bright, but narrow-minded people. What about people who don't touch type (gasp). What about if cut your finger and put a bandage over the end? What about people who don't always type the same way? I'm often eating or doing something else while I'm on the comptuer, and use [Backspace] more than any other key. I might have a burrito in my hand, and thus be typing with my pinkys.

And for those of you reading this comment, it's not just stuff like this, but any time you make something for more than just yourself you can't use your "ultimate" idea because it is only ultimate for you. For example, my mom organizes our pots & pans by when she bought them - she can find anything blindfolded, but none of the rest of us can find anything.

Remember, that if you're designing something for others, you're designing it for those that have trouble driving cars (how many of those people do you see every day?) and need to be told that food will be hot after microwaving.

Re:You are not everyone (1)

lovebyte (81275) | more than 11 years ago | (#6014219)

I'm often eating or doing something else while I'm on the comptuer,
Yeah, pr0n sites do that to me too.

I might have a burrito in my hand
That's the way you call it?

Oh Goody - more patents (1)

Foredecker (161844) | more than 11 years ago | (#6012534)

That idea is so obvious as to be painfull. It isn't novel or original at all. If you really have patents on this then the patent office was smoking crack that day. I read about this being done YEARS ago. Didn't you do some research into prior art? Remeber, computing existed LONG before Google. Go look in the library - perhapse look through old ACM Journal - DO SOME HOMEWORK then go work on something really novel.

Just becuase you can do it, doesn't mean you should get a patent on it.

my thesis (2, Informative)

himynameisbrak (619466) | more than 11 years ago | (#6014309)

I did a summer research project implementing this kind of a system using a neural network. The professor with whom I worked had patents on the system he had developed with one of his Masters students back in 1990/91. They are published. But, of course, the patent is for the *implementation* of the idea, not the idea itself. The idea has, as many have thankfully testified, been around since keyboards.

My work was to improve the results using a different neural network. I later used this work as the basis for my thesis. I didn't quite achieve the results I was hoping for, but my test samples were small. I am also published.

My research was purely academic. I distributed the source code to my implementation. I used an open-source implementation of an ART2 neural network. So, my entire project can be picked up where I left off and continued.

Your affinity for patents is rather silly at this stage of the game and you probably wasted a lot of money on those patents. Your implementation sounds rather simplistic, as well. In my extensive literature survey, statistical methods *always* lagged neural networks in their results. If you want to see my literature survey, it is in the IJCIA:

http://www.worldscinet.com/157/02/0202/S14690268 02 00052X.html

(I know, you would have to pay. Use this info to find it at a library.)

Oh yeah, I also implemented it in Java for my senior project and got lousy results because you can't get millisecond timing accuracy from that technology. The other implementation is in Tcl/Tk.

Finally, to address all the brilliant observations like "what if you hurt your hand?" or "what about logging/network attacks?". Yes, obviously this has limited application. In fact, my senior project combined this approach with Java iButtons. And yes, there will always have to be a backup authentication method, with a human involved, OR this is stealth authentication, allowing any typing style to get through, but triggering a warning if it doesn't match.

Jason

Dogwalker (1)

jmb-d (322230) | more than 11 years ago | (#6015054)

Nope -- not good, for a variety of reasons listed in other posts.

Reminds me of a story by Orson Scott Card [hatrack.com] called Dogwalker [frescopictures.com] . The protagonist is someone who groks passwords. He ends up caught because he got a password correct on the first try, which the owner never ever did.

patents? (1)

perlchild (582235) | more than 11 years ago | (#6016058)

I'm not sure I like the idea that you're not sure about the validity, from a security standpoint, of the concept, but you've already patented it

I'm answering you with a broken wrist today (1)

John Penix (562591) | more than 11 years ago | (#6017485)

So you'll forgive me for briefly commenting, because I have to type very slowly.

Actually, that should answer your question.

Not a good idea (0)

Anonymous Coward | more than 11 years ago | (#6017863)

If we all start Using Password "Keyprints" as Another Form of Authentication, pretty soon someone will catch on, and we'll have to change to something more obscure like "K3ypr1nts".

It's a cute idea. (1)

Stargoat (658863) | more than 11 years ago | (#6018654)

However, I cannot think of anyone really paying for it in its current format. Finger print ids, keypads, that sort of thing, would be the choice of most.

Doesn't mean it doesn't have other applications though. Sounds like it might be a better measurement of typing speed than what most use. Perhaps it could add complexity to games as well.

Wasted money... (1)

rulethirty (673757) | more than 11 years ago | (#6023236)

Well at least I know I'm not the only one who wastes money on worthless ideas...

more prior art... (1)

rkww (675767) | more than 11 years ago | (#6037140)

These people [biopassword.com] state that their 'patented keystroke dynamics technology, a proprietary algorithm to make biometric measurements of a keyboard user's individual typing rhythm' was originally developed by SRI between 1979 and 1985. 'Today, the company has re-engineered keystroke dynamics into a software only biometric solution for user authentication in modern computers.'

Those Who Do Not Do Research... (1)

SEWilco (27983) | more than 11 years ago | (#6047110)

Those who do not know history are doomed to patent it. [To acquire or issue patents]

As others have mentioned, morse code users recognized the style of each other's signals a long time ago. Typing patterns have been used in various ways also; one of the less obvious was in decoding typed documents through spy transmitters which provided recorded audio of typing. Of course, Turing test tools have done the reverse when a computer emulated human typing for the purpose of seeming to be a human typist. An obvious extension of the concept were the several writing pattern devices which measure pen pressure, speed, and/or acceleration during a signature. Several of these have also been used in fiction over several decades, but "Seven Days of the Condor" contains the major example of fiction idea searching and I'm not aware of a central source (unless The Encyclopedia Of Science Fiction has relevant index entries).

I will note that acquiring patents and then asking Slashdot to do your prior art search is a novel approach. Have you patented this?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?