Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tactile Passwords vs Shoulder Surfing

CmdrTaco posted more than 7 years ago | from the does-that-eve-nwork dept.

115

holy_calamity writes "Entering passwords using a tactile interface would remove two of the main vulnerabilities of using keyboards and alphanumeric passwords say UK researchers. They're using sequences of tactile icons on a VTPlayer tactile mouse instead. Shapes are displayed using the 16-pin tactile displays under the user's fore and middle fingers. As well as being almost impossible for anyone else to observe, tactile passwords can't be guessable in the same way as many conventional ones, they say. A video shows it all in action." Not that the video really helps explain it very well.

cancel ×

115 comments

Sorry! There are no comments related to the filter you selected.

lol omfg u r teh sux (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16362767)

fp

love always,
news for turds

Impossible? (1)

cerberusss (660701) | more than 7 years ago | (#16362781)

being almost impossible for anyone else to observe
Except for Superman...

Re:Impossible? (2, Funny)

twistedsymphony (956982) | more than 7 years ago | (#16363041)

Yeah but can Superman properly identify a Kitten [kittenauth.com] ?

Re:Impossible? (3, Insightful)

durnurd (967847) | more than 7 years ago | (#16364109)

If you've got Superman trying to steal your password, I think you've got bigger problems than an insecure password.

special tactile mouse needed .. (3, Interesting)

rs232 (849320) | more than 7 years ago | (#16362787)

You don't need any special tactile mouse. The same could be achieved using a clickable image map showing a keypad with the numbers in random locations. You get a different map each time you enter the site. So keyloggers wouldn't be of any use.

Re:special tactile mouse needed .. (3, Insightful)

The Evil Couch (621105) | more than 7 years ago | (#16362805)

However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry.

Re:special tactile mouse needed .. (2, Insightful)

rs232 (849320) | more than 7 years ago | (#16362907)

"However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry."

Actual pin is 1234

Standard keypad layout ..

789
456
123

The screen shows ..

251
369
847

You click on 8473. The next time round it's a different keypad layout.

Re:special tactile mouse needed .. (1)

Arimus (198136) | more than 7 years ago | (#16362973)

Why not replace the fixed labeled keys with keys with microscreens and change which key is which each and every time - then put a screen around the keyboard so that when you stand behind/next to someone the angle of view is such that you can not make out the legends... then knowing the pattern of keys is useless.

Re:special tactile mouse needed .. (2, Interesting)

ConceptJunkie (24823) | more than 7 years ago | (#16363143)

I worked for a company, now part of Honeywell, that made access control keypads that work exactly how you describe. It was a really good product, but for the life of me, I can't remember the name of it.

Re:special tactile mouse needed .. (1)

Monsieur Canard (766354) | more than 7 years ago | (#16363415)

Hirsch makes these, I think they call them Scramble-Prox or something like that. You present your badge and then enter a PIN on a keypad that scrambles the layout after each user.

Re:special tactile mouse needed .. (1)

rs232 (849320) | more than 7 years ago | (#16363501)

"You present your badge and then enter a PIN on a keypad that scrambles the layout after each user."

Another good idea I should have patented ..

Re:special tactile mouse needed .. (1)

ConceptJunkie (24823) | more than 7 years ago | (#16363777)

Thank you. Hirsch was one of our clients and the one for whom I worked. I even went there in 2001. They are nice folks with some neat products.

Are you allowed senior moments when you are only 41?

Re:special tactile mouse needed .. (1)

Monsieur Canard (766354) | more than 7 years ago | (#16363911)

I certainly hope so being 41 myself. If we're not then I'm going to blame it on all the brain cells that valiantly gave their lives so that I might drink in college.

Re:special tactile mouse needed .. (1)

ConceptJunkie (24823) | more than 7 years ago | (#16364535)

The problem is that I didn't drink all that much in college. I'm finding more and more that while my memory doesn't seem to be really decreasing, it takes me significantly longer to pull up names (especially of places or people) that I haven't thought of in a while. I also have the attention span of a gnat when it comes to appointments and other mundane details, but I can't blame that on age, as I've always been that way. I was late for my own birth.

Re:special tactile mouse needed .. (1)

Fred_A (10934) | more than 7 years ago | (#16368149)

You present your badge and then enter a PIN on a keypad that scrambles the layout after each user.
Much more simple would be using wheels driving the display of numbers ( a bit like on luggage) and a "validate PIN" button. The terminal could reset the values to something random (or to 0000 or whatever) as soon as the validate key has been pressed.

That would make it very hard for an onlooker to read, especially with recessed displays.

Re:special tactile mouse needed .. (2, Interesting)

Peyna (14792) | more than 7 years ago | (#16364133)

The federal building I work in has these keypads on every secure door within the building. (Exterior doors have manned guards and RF card access for employees).

Another nice feature is that the numbers that are randomly displayed in different places are only visible when viewed straight on; so the guy standing next to you might see where your fingers go, but he won't see what number was displayed on that key at that time.

Re:special tactile mouse needed .. (1)

Peyna (14792) | more than 7 years ago | (#16364179)

ScrmablePad [hirschelectronics.com] .

Re:special tactile mouse needed .. (1)

Tordek (863609) | more than 7 years ago | (#16364439)

Wow, you even scrambled the letters to show an example!

Re:special tactile mouse needed .. (1)

ConceptJunkie (24823) | more than 7 years ago | (#16364811)

These are great devices and are used in a lot of places around the U.S., including some of our major airports. I haven't been involved with Hirsch in over 4 years, but I always figured they'd be around for a long time. It's not particularly high-tech, but it's solid, flexible technology, which after all, is all anyone should really want.

Re:special tactile mouse needed .. (2, Insightful)

whyloginwhysubscribe (993688) | more than 7 years ago | (#16363171)

Like an Optimus Keyboard [artlebedev.com] ?
I can't help but think that it would take too long to find each individual key. I suppose they could just display the numbers that are in your PIN and perhaps put them in the correct order so that it would be easier to find them.
Why dont they ask for just 2 or 3 numbers from your PIN, like the way they do on online banking systems? Works well for me...

Re:special tactile mouse needed .. (1)

Tim C (15259) | more than 7 years ago | (#16363599)

I'm shoulder-surfing you.

Actual pin is 1234

I don't know that.

Standard keypad layout ..

I know that.

The screen shows ..

251
369
847


I can see that.

You click on 8473.

I see that.

The next time round it's a different keypad layout.

But that doesn't matter, because the first time round I mapped 8473 to 1234 in my head as I watched you do it.

This is security through obscurity; it relies on one or both of:

1) me not realising that the keypad represents the "normal" numeric keypad, mixed up
2) me not being able to perform the reverse of the mapping you're doing to enter your PIN.

1) is solvable by my simply perusing the site, even if I don't guess. 2) isn't a reasonable assumption to make about most people.

Re:special tactile mouse needed .. (1)

rs232 (849320) | more than 7 years ago | (#16364435)

"This is security through obscurity"

Well, yea, the method fails the logic test. Another poster mentioned a real keypad that scrambles the numbers. With a shield around the keypad then I would assume that shoulder-surfing wouldn't work.

Re:special tactile mouse needed .. (1)

Mister Whirly (964219) | more than 7 years ago | (#16366335)

Or you can use the low-tech method I use - I cover the keypad with the hand that isn't entering the PIN. Or, position yourself so that only your back is visible to the person behind you. Sometimes people give me strange looks, but screw it - I'd rather be paranoid and have money in my bank account than overly trusting and broke.

Re:special tactile mouse needed .. (1)

way2trivial (601132) | more than 7 years ago | (#16363353)

uh- no ING uses this for login, it looks like a keypad, but you the letters (more than one to a box) move around per login

so you are presented with a grid of letters over nine boxes about three in each box. and you click your letters...
asteriks appear in the box- what they represent, a shoulder surfer couldn't know.

if my pinword is "spaghetti" then I click boxes to follow that word, next time- it'll be different boxes.

Re:special tactile mouse needed .. (1)

chalkyj (927554) | more than 7 years ago | (#16362837)

The same could be achieved using a clickable image map showing a keypad with the numbers in random locations.

TFA says that they're looking into using it for ATM machines. An image on an ATM machine would be considerably less secure than a keypad type device.

Re:special tactile mouse needed .. (0)

Anonymous Coward | more than 7 years ago | (#16362933)

They NEED it for ATMs so they can do fingerprint scans on everyone who uses it. Dont you know the government wants to track everything (except elections)

Re:special tactile mouse needed .. (2, Funny)

Mr. Mindless (259403) | more than 7 years ago | (#16363177)

using it on Automatic Teller Machine machines?

good god it's brilliant!

they could be connected via Network Interface Card cards!

Re:special tactile mouse needed .. (1)

jacksonj04 (800021) | more than 7 years ago | (#16363941)

Easy mistake to make though. "ASP page" is the correct use of the acronym ASP, even though it actually means "Active Server Pages page".

Re:special tactile mouse needed .. (1)

Fred_A (10934) | more than 7 years ago | (#16368191)

Actually it only works on automatic ATM machines when you enter your personal PIN number.

Re:special tactile mouse needed .. (2, Insightful)

sxpert (139117) | more than 7 years ago | (#16363075)

that pretty dumbass comment doesn't take into account that some people are blind, thus can't see the pretty pictures on the stupid screen

Re:special tactile mouse needed .. (1)

rs232 (849320) | more than 7 years ago | (#16363163)

"that pretty dumbass comment doesn't take into account that some people are blind", sxpert

Ok, It was just a suggestion, the idea probably needs a little more work. How do the visually impared use the VTPlayer when they have to ..

"a user moves the mouse over a grid of nine blank squares displayed on a computer screen"

Re:special tactile mouse needed .. (0)

Anonymous Coward | more than 7 years ago | (#16363195)

Oh but who cares about the minority? Fuck the minority.

I can't even view the damn video, and I'm not even blind!

Hello, you either have JavaScript turned off or an old version of Macromedia's Flash Player. Click here to get the latest flash player.

Hello, Macroshitia Flash is not available for my platform, fucking gnash can't play it, and fucking mplayer can't play the fucking .flv because it's fucking compressed. Click here to see pictures of women eating shit.

I'm a masochist.

Re:special tactile mouse needed .. Blind people (1)

yvedb (874208) | more than 7 years ago | (#16364093)

Don't forget the blind people. They must be able to sense the '5' key. It's a requirement when designing a payment terminal.

Re:special tactile mouse needed .. (1)

Spurion (412996) | more than 7 years ago | (#16365113)

Do you actually know your PIN? I just remember the shape of the key sequence I need to press - it's all in "muscle memory". I have to think quite hard to know what the actual numbers are so I'd be pretty much stuck with the interface you suggest :)

Onscreen keyboards have already been defeated.... (1)

merreborn (853723) | more than 7 years ago | (#16365465)

...by malware.

http://www.boingboing.net/2006/09/18/onscreen_bank site_ke.html [boingboing.net]

"The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.

The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when using the virtual keyboard, so that he gets the username and password without going into further trouble."

Sure, last gen keyloggers wont capture passwords entered via this interface, but the current gen sure will.

How could the video explain it? (5, Funny)

badfish99 (826052) | more than 7 years ago | (#16362813)

No wonder that the video does not help to explain it very well. TFA says "it is almost impossible for anyone else to observe"

Re:How could the video explain it? (1)

TechForensics (944258) | more than 7 years ago | (#16363359)

This appears to work by giving tactile feedback when your mouse cursor touches one of the password elements (squares) so you click there and not elsewhere. At least, that's the simplest way I can imagine it would work.

Re:How could the video explain it? (1)

Kijori (897770) | more than 7 years ago | (#16363899)

That wouldn't work - that way anyone could do it! There is tactile feedback for every square - you have to identify the particular pattern of pins that represents each 'digit' of your PIN.

And youtube (1)

Gr8Apes (679165) | more than 7 years ago | (#16362817)

suffers a melt-down @ 8:35am EST on Monday morning.

Re:And youtube (1)

solevita (967690) | more than 7 years ago | (#16362891)

I'm not so sure: YouTube has one of the biggest tubes of the whole internets, the clue's in the name.

Re:And youtube (1)

Speare (84249) | more than 7 years ago | (#16363049)

Oblig: YouTube is not like a truck you can just dump a bunch of video on.

How do you figure that the demand on one boring nerdy video at 8:35am EST Monday is going to somehow be more than the demand for five thousand videos of a pair of mock-slutty half-drunk teen girls singing Britney songs in their kitchen, viewed at 8:35pm PST Thursday evening?

Re:And youtube (1)

aplusjimages (939458) | more than 7 years ago | (#16363157)

. . . a pair of mock-slutty half-drunk teen girls singing Britney songs in their kitchen . . .

Link please. I've got to see this.

Too easy (1)

DeadCatX2 (950953) | more than 7 years ago | (#16363921)

Mock-slutty half-drunk teen girls singing Britney Spear's Do Somethin' [youtube.com]

Okay, I dunno if they're half drunk, but they are two mock-slutty girls singing a Britney song.

What do you expect? I just did a youtube search for britney lip sync. You'd be surprised how many guys lip sync to Britney Spears; I had to scroll down pretty far.

if we are going to add new hardware (0)

Anonymous Coward | more than 7 years ago | (#16362823)

then there are better ways to do it.

Also vulnerable to all other methods to obtain passwords except over the shoulder,

Whistler: Fellas, Janek's little black box is on his desk between the pencil jar and the lamp.
Mother: Uh, Whistler, I hate to tell you this, but you're blind.

Er... (2, Insightful)

tygerstripes (832644) | more than 7 years ago | (#16362885)

Well... it is an interesting concept, and I like how they've made it work. Thing is, the problem is never the system, but the people using it. Shoulder-surfing shoudl be nigh-on impossible when the user touch-types at anything approaching a decent speed - it's the two-finger-jabbers who make it easy. The passwords themselves are only easy to guess because people are total gimps.

Cool though this tech is, there is nothing so clever that fools can't render it worthless.

Augmented shoulder surfing (1)

StupidKatz (467476) | more than 7 years ago | (#16362941)

In the case of normal humans, I agree with you regarding shoulder surfing not being a horrible problem.

However, with the arrival of smaller and smaller video recorders, this could indeed be a decent solution for those forced to use passwords at terminals in (more) public places.

Though, the smaller entropy pool would likely become a problem if measures aren't taken to counter brute-force attacks...

Re:Augmented shoulder surfing (1)

SanityInAnarchy (655584) | more than 7 years ago | (#16368181)

There's an additional two things I do other than touch-typing to throw people off: I use Dvorak, and I (used to) have a five-second timeout on a password that takes me 2 and a half seconds to type. If someone got my password, they almost certainly couldn't type it fast enough.

Re:Er... (1)

bomb_number_20 (168641) | more than 7 years ago | (#16363329)

I agree that it's mostly the people using the technology as opposed to the technoogy itself. Sometimes the environments aren't very well thought out, though.

I always pay attention at ATMs and public terminals. I've noticed that 1) most people make absolutely no effort to hide their keystrokes and 2) most establishments make no effort to hide the little pad people use to enter their passwords or PIN. The absolute worst are those internet cafes that put people with their backs to a street-facing window so that anyone walking by can happen across private information. Further, the little 'ding' sounds that the ATMs make when you hit a button can help clue a listener in as to what the pin might be. When you hear someone type 'ding ding ding ding' in rapid succession, it's a pretty safe bet that they are typing the same number 4 times. If you somehow get their card and are guessing at their PIN number, that alone considerably reduces your pool. I don't think it's really _that_ big a deal, but I always thought they should remove the sounds from those things.

Sometimes how you type is is important as what you type. It sounds stupid but, If I'm in a public place, I ususally mistype my password on purpose. I do it in hopes that a combination of wrong keystrokes, backspace characters and fast typing will throw someone off who may be watching and listening to the click of keystrokes. Not that what I'm typing is ever that important anyway, but every bit of noise helps.

Typical IT response: blame the user. (1)

jotaeleemeese (303437) | more than 7 years ago | (#16363805)

We praise ourselves of being very fluffy clever, nevertheless we haven't squared a simple solution to the authentication problem.

Or maybe there are no simple solutions, but people that are not familiar or comforatable with IT should not be denigrated for solutions that are clearly inadequate, difficult, or both.

Re:Typical IT response: blame the user. (1)

tygerstripes (832644) | more than 7 years ago | (#16364737)

I'm more of a user than a professional, and it still galls me what the IT support guys have to put up with (and what we have to put up with from them, but that's a different issue). The policy on passwords is clear: we're told how and why to keep our passwords secure and difficult to guess, and it's pretty much common sense anyway. It's easy to bleat that "fools will be fools", but that doesn't mean they don't deserve berating for their own stupidity. They're the first to moo when things go south, and they won't entertain the thought that it might be their own fault.

It's not a car manufacturer's responsibility to ensure that drivers obey basic safety rules on the road. They can put in airbags, ABS, intelligent wipers, whatever they want to make the user safer - but if a user drives into a tree, they drive into a tree. Metaphorically. So it is with account safety. The rules are there, everyone knows them, but when people get complacent there's nothing you can do. *pant pant*

Re:Er... (1)

slocan (769303) | more than 7 years ago | (#16365819)

Maybe developing a new password input device is easier done, than changing people's habits.

Shoulder surfing? (4, Funny)

AnimeDTA (963237) | more than 7 years ago | (#16362901)

Being bored at work, I took up using the Dvorak keyboard layout. My passwords however retain the same unconcious keyboard patterns as they did on a standard keyboard. Without even thinking of what my password is I can type it. For a while I didn't even know my own passwords were... this proved to be a problem when i had to check email and wasn't at my computer. But it definately ends the shoulder surfing for passwords.

I ended up typing my passwords a few times in notepad and memorized the gibberish that is my password now. Other than that I'd have to be trying to know what my fingers are pressing when i go into password mode.

Re:Shoulder surfing? (2, Insightful)

140Mandak262Jamuna (970587) | more than 7 years ago | (#16363113)

What you just have one password? One password for all your accounts? The same password for the accounts in your work, for your accounts with your bank and brokerage account, and for the web mail and for the rarely visited "registration required" sites? That is insane.

My personal password policy: I have four kinds of passwords. The highest and most secure ones are for the work accounts and my financial institutions. The next ones are for the web merchants who know my mailing address and credit card numbers. The third kind is the one where there is no money involved and thus not attractive to hackers like my webmail or slashdot. The fourth one is for home network, the router, the dsl PPPoE account, home machines administrator passwords.

No two account I have use exactly the same password. Even if a bent sys admin snags my password, he/she cant damage anything more than account.

Re:Shoulder surfing? (1)

masterzora (871343) | more than 7 years ago | (#16368687)

Given all the references to "passwords" in the GP, I'd take it that he is also using multiple passwords.

not enough bits (1)

kwikrick (755625) | more than 7 years ago | (#16362929)

16 mechanical pins, that is 16 bits of information, two bytes, typically equialent to two ASCII characters. Most passwords are required to be at least five characters. Add to that the fact that many pin-combinations are not useable because they are hard to distinguish, I would guess that amounts to maybe a few hundred usefull passwords. Not so secure then is it?

Re:not enough bits (1)

sciscitor (798043) | more than 7 years ago | (#16362983)

The 16 mechanical pins are used to create the braille characters, you don't poke them down individually to creat you password. Check out the video or the article, they help. On another note, i think that something like this is a major advantage in defending against password theft through video recording as most of the action is happening under your fingers and is therefore impossible to intercept.

Re:not enough bits (1)

kwikrick (755625) | more than 7 years ago | (#16363073)

you are right, but this only makes it worse! The article mentions nine blank squares on a screen from which to choose. That means if I steal someone's ATM card, and if I get three chances (as is the case now with typing a PIN code) to guess the right square, that means I have 33% chance to hit the jackpot!

Obviously, having more squares reduces the chance of succesfully guessing the password, but scanning lots of squares with a tactile mouse will take for ever.

The best solution I can think of is to have only two squares on the screen at the same time (left and right), and you have to 'enter' a sequence by choosing left/right a number of times. Hmmm, that might actually work.

Re:not enough bits (0)

Anonymous Coward | more than 7 years ago | (#16363289)

FYI: You have more than one screen.

AKA:
897
153
426
then
589
632
471
then
321
549
687
So you can type in normal numeric passowrds but it's time consuming.

Re:not enough bits (1)

mxolisi06 (1009567) | more than 7 years ago | (#16363307)

From TFA:
The sequence of tactons and squares is randomised each time
So for each try you always have 1/9 chance to hit the jackpot, no matter how many times you try.

With this system, the number which you should compare to the 8 bits character for traditional passwords would be the number of tactile patterns your finger is able to recognise (at least as many as braille characters ?) This number would then be multiplied by the number of patterns you have to recognise (4 in their experimental set-up).

Re:not enough bits (1)

Gemini_25_RB (997440) | more than 7 years ago | (#16363327)

I think the idea was that you are inputting a password (the normal 5+ characters) except that you can't see what you're inputting, you can only feel it. You password could still be 1-2-3-4-5, which means you float your mouse over the nine boxes looking for the one that causes only one bump to pop up on your mouse. You click that box. Then you do the same for the next number, and so on, and so forth.

I must say, however, that this will be quite time consuming. I'm not sure if the boxes reset after every input (which they probably should, that way duplicates are easily detected), but that would definitely magnify the time needed.

Yet again something that won't work for everyone (1)

PrescriptionWarning (932687) | more than 7 years ago | (#16362947)

This obviously won't work for someone without the use of both hands, or who has the feeling removed from their hands (a stranger?). However the biggest problem I would see is for the everyday person who may not be able to tell enough of a difference between each touch thingy to be able to enter their touchcode reliably a majority of the time. Though I suppose we'd learn if we had to, it just seems that the main reason why the blind get really good at reading braille is because they don't have a choice, not to mention they have a lot more processing power from their brain going to their other non-visual senses.

Nice approach (1)

suv4x4 (956391) | more than 7 years ago | (#16362969)

This device is a very nice and tender approach to a problem.

Sort of like killing a fly with a bulldozer.

Bring back numeric karma (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16362979)

Listen up bitchez, it's time to bring back numeric karma. Who's with me!?

The wrong approach (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16363005)

Once again you guys have it all wrong, its not about what tech is used to enter a password, but how you enter it. When at an atm (I was told slashbots like more than one type of atm) turn round, anyone too close to you, tell em to back the fuck off, mean it, be threatening. Oh wait no that requires self confidence, computers can't teach you self confidence, so that probably would not work for you slashbots.

Re:The wrong approach (1)

TheVelvetFlamebait (986083) | more than 7 years ago | (#16363519)

I like the point. Hate you, but like the point.

Parent is so self confident... (1)

hkmwbz (531650) | more than 7 years ago | (#16363533)

...he decided to show off how cool and tough he was by posting anonymously at Slashdot!

Re:The wrong approach (1)

SynTruth (1011179) | more than 7 years ago | (#16363573)

...sure they can. I used to be very shy and withdrawn back in the late 80's and early 90's. Once I got online, got social on USENET, IRC, and such, it helped me develop -how- to be social offline as well. Doesn't replace true meatspace social aspects, but at least for me, computers -did- help me be assertive and have confidence in my interactions.

Re:The wrong approach (0)

Anonymous Coward | more than 7 years ago | (#16363991)

Hey Dude. Back off!

See. It can be done on Slashdot too :P

Conflict (1)

suv4x4 (956391) | more than 7 years ago | (#16363025)

Anyone else see a conflict between those two statements:

...being almost impossible for anyone else to observe..... ...A video shows it all in action...


I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.

That could make it hard to quickly enter a password even if you know it.

-------

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help.

It won't help to protect you from your competitor or a black hat hacker who installed spyware on your PC.

Re:Conflict (2, Insightful)

mxolisi06 (1009567) | more than 7 years ago | (#16363439)

I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.
In actual situations, as the name "tactile" suggests, the user's fingers will lay on the pads, so nothing will be observable.

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help. It won't help to protect you from your competitor or a black hat hacker who installed spyware on your PC.
It seems to me that this method does protect from keyloggers. First, you'd need a mouselogger, since login isn't done via keyboard. But the thing is you'd need access to the piece of memory that maps the 9 squares to different tactile patterns, because the mapping changes each time. In short, you'd need root access to the machine, and then you don't need to guess the password anymore...

Re:Conflict (0)

Anonymous Coward | more than 7 years ago | (#16368467)

Actually, you only need access to a mouse-logger. Something has to send the tactile pattern to the mouse. All you need to do is log the pattern that was present at each click. Sorted.

This is still just 'something you know' that you are telling to the computer, which you trust explicitly. It has the benefit of not being visible to passers by, but is still broken.

The secure authentication system will not run any general purpose code, will be able to identify itself to the user, and will be used for authentication only, not financial entry or gameplaying.

Re:Conflict (0)

Anonymous Coward | more than 7 years ago | (#16364285)

The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help.

man, if my boss was threatening to "peak" over my shoulder, i'd just tell him the damn password.

Crazy idea (1)

Ice Wewe (936718) | more than 7 years ago | (#16363053)

This will sound crazy. But, I recently saw a review for a keyboard that had little organic LCDs for each key. Now, I'm not saying thats a good idea, infact, it sounds like a huge waste of energy. However, you could do what other people are suggesting, and that is change the key map each time, and have those little screen personal protector things on it. I forget what they're called, but you can buy them for your PC, and laptop, monitor, and it will reduce the viewing angle to the person sitting immediately infront of them. Hence, you can see your keyboard, but no one else can.

Re:Crazy idea (1)

mackyrae (999347) | more than 7 years ago | (#16364921)

http://www.artlebedev.com/everything/optimus/ [artlebedev.com]

That'd be the Optimus. I like it for the simple fact of not having to poke around trying to learn where the keys are when typing in foreign languages. It makes doing much easier. That being an example. was the only of the 3 letters that I found without 5+ attempts.

The gamers I know like it because they said not all games follow the standard commands (e=enter...I think?), so having them change on the keys depending on the game would make it easier. I don't know many gamers who look down at their hands while playing though.

And once again... (1)

Penfold1234 (920794) | more than 7 years ago | (#16363179)

... no one has thought of the lepers.

My Solution (3, Funny)

thorkyl (739500) | more than 7 years ago | (#16363245)

Let's just put small DNA testers on each PC.

Then all you have to do is stick something in the hole to donate a blood sample.

--
Stupid people breeding has lead us to the current government

Re:My Solution (1)

Aqualung812 (959532) | more than 7 years ago | (#16363429)

Then all you have to do is stick something in the hole...

You just put down the red carpet for the one-liners...

Re:My Solution (1)

mackyrae (999347) | more than 7 years ago | (#16364973)

There are fingerprint-scanning computers. One of my roommates has one on her laptop.

Mmm.... tactile.... (2, Funny)

john-da-luthrun (876866) | more than 7 years ago | (#16363305)

I dread to think what the "tactile" password for a pr0n site would be like...

Re:Mmm.... tactile.... (1)

einnar2000 (985070) | more than 7 years ago | (#16364395)

There will be a whole new industry formed..

A tactile mouse shaped like.. you guessed it.. a breast.

Easier solution (3, Interesting)

3Suns (250606) | more than 7 years ago | (#16363357)

I've always made sure that my passwords contain a string of easily-typable letters consisting primarily of alternating-hand homerow keys, to complement the numbers, punctuation, and capitalization elsewhere in the password. Since you can tap out those letters so quickly without moving your hands around dramatically, it makes it much more difficult for anyone to eyeball your password.

I've seen countless stories about dedicated password-entry hardware, but none of them (with the minor example of insecure fingerprint scanners) have made an impression. Purpose-dedicated hardware rarely does.

Re:Easier solution (2, Funny)

frenchbedroom (936100) | more than 7 years ago | (#16364027)

You sir are correct, this is the way to go when creating a password.

Me, I have yet another layer of protection : my keyboard is labelled in standard French Azerty, but I use a french Dvorak layout (I have no need to change the labels since Dvorak layouts are designed for touchtyping).

It's very funny when the co-workers try typing stuff with my keyboard :) For example, this is "Hello, World!" typed as if my keyboard was Azerty :

Cpnnlq Àloniw
(funnily enough, that's also "Hello, World" in Gaelic. Ba-da, dum.)

Memory. (1)

dohzer (867770) | more than 7 years ago | (#16363371)

Won't these types of access codes be even harder to remember?
Imagine these at a job where you're forced to change codes regularly.

And the time wasted ? (2, Interesting)

aix tom (902140) | more than 7 years ago | (#16363433)

> On average, the volunteers took 38 seconds to log on

So now I need about 4 to 5 seconds to log on. (Just tested it)

Considering that the system needs a special mouse and a special login interface, too, why not get a mouse with a finger print reader and use that login interface?

I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

Re:And the time wasted ? (1)

SanityInAnarchy (655584) | more than 7 years ago | (#16368241)

I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

Won't work. The whole point, I think, is that the grid changes, but the code stays the same. Therefore, you can only tell where the "key" is by touching it. This is also why it's immune to shoulder surfing.

Fingerprint (1)

maxrate (886773) | more than 7 years ago | (#16363437)

I'd say a lot of office users use the same password all over the place (although they shouldn't). IBM's finger print reader on the notebooks gets rid of the shoulder surfing password issue to some degree. This helps reduce casual password 'lifting' I'm sure. Does the fingerprint reader count as a tactile interface?

Image from the site (0)

Anonymous Coward | more than 7 years ago | (#16363459)

http://www.virtouch2.com/images/Playing_Space_War. jpg [virtouch2.com]

Is it me, or does that guy's shirt say "LOL Bear"?

Re:Image from the site (1)

kni52 (598886) | more than 7 years ago | (#16363747)

acording to the article, that is a "young lady". LOL BEAR would make a great shirt though.

Got rhythm? (3, Funny)

bromoseltzer (23292) | more than 7 years ago | (#16363661)

As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.

Re:Got rhythm? (1)

smithmc (451373) | more than 7 years ago | (#16364145)


  As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.

But then every Rush fan in the world would have the same password: -.-- -.-- --..

Re:Got rhythm? (1)

Banzai042 (948220) | more than 7 years ago | (#16367629)

Bettern than just having YYZ as a pw

why are we still using one/two factor authenticati (1)

Arimus (198136) | more than 7 years ago | (#16363833)

Why not make authentication systems three factor: something you have - the card, something you know - the pin, and what you are - biometric -finger print. With the false +ve/-ve rates you can't rely on finger print readers alone but combined with the other two factors you can make a secure system which even if I give you my pin is no use.

Make sure though the fingerprint key is not stored on the card ;).

Quick & easy passwords (1)

B5_geek (638928) | more than 7 years ago | (#16364125)

Type this in a term: *
ps -A |md5sum

This will ALWAYS give you a different result, and it is not reproducable/predictable.

*Windows users need not apply

Now, to 'remember' is a different story. I'll let you figure out your own method.

password will be too long (1)

harlows_monkeys (106428) | more than 7 years ago | (#16365477)

Interesting idea, but as implemented, you'd need a password that is rather long. For each tacton, you are choosing 1 of 9. That's 3.17 bits. You'll need a pretty long sequence to get decent password strength out of that.

When memorizing a password, I think length is more important than the number of possible symbols at each position, when it comes to difficulty of memorizing. Memorizing 10 decimal digits is easier than memorizing 32 bits, for example.

Conversation stops shoulder surfing (2, Interesting)

obtuse (79208) | more than 7 years ago | (#16365525)

I used to support Point of Sale systems at a local sporting goods chain, and often would be at the store working with the manager hanging around learning what they could (always appreciated.) I had a great boss, and she gave me a graceful technique for avoiding shoulder surfing in that situation. You have to be able to touch type your passwords.

Talk to the person, and look them in the eye while you type your password.

Not gonna work for all situations (ATM Pin) but incredibly effective where there is only one person who really presents a risk, and really, how often are you working in a crowd?

OK, Classrooms just suck, so you have to rely on flying fingers sometimes, but I did find it to be useful when "that kid" was hanging around the same way. "That kid" could be a proto-geek, or a hacker wannabe, but I always did what I could to educate and make conversation. Hey, you're interested? Cool! Kids (even teens) respond really well to being treated like people. And, the conversation made it easy to type my password without _him_ seeing it. No need to tempt 'em.

Shield (1)

MobyDisk (75490) | more than 7 years ago | (#16366315)

Can't somebody just make a pane that is transparent to someone standing on front of the keyboard, but not visible to anyone outside of a very small viewing angle? For example: a thick mesh it visible only from straight-on. From other angles you see the sides of the mesh.

Wall (1)

SanityInAnarchy (655584) | more than 7 years ago | (#16368287)

What you describe has been done, but why not just rely on touch-typing and make it impossible for ANYONE to see the keyboard?

My solution... (1)

east coast (590680) | more than 7 years ago | (#16366915)

We need laser beams that can find prying eyes and burn them out of the owners skull. That would put a stop to it.

BTW: If anyone finds such a technology let me know. I need this for what I'm surfing slashdot at work too.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>