Using Password "Keyprints" as Another Form of Authentication? 100
Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"
Yes it is (Score:3, Funny)
Won't stop advanced key-capturing programs (Score:1, Interesting)
May be defeated if password is keylogged (Score:4, Insightful)
Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.
Re:May be defeated if password is keylogged (Score:3, Insightful)
Re:May be defeated if password is keylogged (Score:2)
True. However remembrance is, and no doubt that was the word which you intended. See, your vocabulary is bigger than you thought.
Re:May be defeated if password is keylogged (Score:1)
Of course I claim the patent on this enhancement.
Re:May be defeated if password is keylogged (Score:2)
Re:May be defeated if password is keylogged (Score:1)
Re:May be defeated if password is keylogged (Score:1)
Re:May be defeated if password is keylogged (Score:1)
Cool, I'll send you a licencing agreement, or my IP lawyer, whichever you prefer.
Sorry to burst your bubble (Score:5, Informative)
http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8 [216.239.53.100]
http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml [ncsc.dni.us]
http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf [giac.org]
http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html [techtarget.com]
Re:Sorry to burst your bubble (Score:2, Interesting)
Re:Sorry to burst your bubble (Score:2, Funny)
Re:Sorry to burst your bubble (Score:4, Insightful)
Dave
Re:Sorry to burst your bubble (Score:3)
Re:Sorry to burst your bubble (Score:2)
Unless you're seeing something I'm not seeing...
I nearly did this project at uni (Score:1)
I actually tried to do this in a java applet for the second year project at reading university in 1995. But my neural networks teacher said that it had been done years before and we had to do someting inovative.
Shame I have no docs to prove it!
Re:Sorry to burst your bubble (Score:1)
Re:Sorry to burst your bubble (Score:1)
Re:Sorry to burst your bubble (Score:2)
Actually done on the Apple ][ (Score:2)
Sounds good (Score:2)
Not much of a problem though. Sounds good to me in some ways.
Re:Sounds good (Score:2)
Re:Sounds good (Score:4, Interesting)
This would also be a good measurement for hacker detection. If you keep a history of the password key stroke timing, and all of a sudden a seperate set of timings start to appear, you can start to look for other differences in the logins patterns. Finally, you could use this to see who is logging into root directly. Bad! Bad! Bad Boy!
Re:Sounds good (Score:1)
Re:Sounds good (Score:2, Funny)
I read this and had a strange image of a sofa and 2 chairs turning up at my desk... Maybe that's the lack of coffee this morning.
Re:Sounds good (Score:2)
You share passwords when it's forced upon you by an outside entity. For example, a website may charge for access and the company uses a single account for multiple users. I believe some section of Oracle used to (and possibly still does) use per company or per version accounts.
"Never" is a word to stay away from when things are not 100% in control. How often have things been 100% in my control, you ask?
Why, never!
91% success means 9% failure (Score:3, Insightful)
I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.
Re:91% success means 9% failure (Score:2)
Still, I think this would be an interesting idea, as long as it re-learned as time went on (people get faster at typing their password - and what about when passwords change? There are several trivial but important issues. Still, a cool idea. I wish
Re:91% success means 9% failure (Score:2)
All in all it is bound to have a higher re-type rate than normal passwords, but it might still have application in areas where emphasis is more on security and less on speed...
No patents (Score:5, Interesting)
Re:No patents (Score:4, Funny)
The first one has a nice plaid pattern, wheras the second one (and this is the clever bit) has a striking blue and green pattern on it.
Steve.
Re:No patents (Score:2)
Somewhere there's bound to be a Scottish clan or two with prior art on that.
Re:No patents (Score:2)
Re:No patents (Score:1)
Re:No patents (Score:1)
you know, theres things called submarine patents some devious companies can file, and then try to everyone get to use the already patented tech(whilst they don't know the company has patents on them) and then profit from this.
this timing method however has very few uses, but very good uses those few are, for example for vaults or similar.
Re:THIS IS A HOAX YOU MORONS! (Score:1)
Patent Officer #1: "How'd the Google search turn out?"
Patent Officer #2: "Well, I searched on his name and didn't find any web pages talking about this idea, so it must be new!"
Patent Officer #1: "Great! I'll notify Mr. Bezos of his new patent!"
Have you ever considered that not evryone who has a idea first creates a website about it... and if the
Re:No patents (Score:2)
My thoughts were to continuisly monitor things like spelling mistakes and typo's as well as keypresses: 10Mins of odd activity and the PC questions the identity of the operator.
This is find, untill you injure yourself and don't type quite the same.
Re:No patents (Score:1)
Re:No patents (Score:2)
If he doesn't have patents, though, let's not burst his bubble on being creative and inventing. Let's just call
Re:No patents (Score:1)
Ouch! I njust bnanged my finger! (Score:5, Interesting)
I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.
I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.
What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?)
Even worse, what if I innnjure my finger or hand (yeah, it's
With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.
However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.
This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.
Re:Ouch! I njust bnanged my finger! (Score:2)
However, in an organisation with sys admins, it would be trivial to go to a sys admin and tell them you have an injury which means you can't log in; they can then just reset your keyprint timings -- you just re-train the system and off you go again.
A useful modificationto the system would be to have it do online learning: i.e. the keyprint timings are not learned from a batch of N sample logins, but the classifier is trained on
Re:Ouch! I njust bnanged my finger! (Score:1)
It works well (Score:5, Informative)
If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society [amazon.com], and anything else on the subject written or edited by Anil Jain [amazon.com].
(His webpage is here [msu.edu], the webpage of his lab is here [msu.edu]).
Dr. Jain is (IMHO) the current leader in biometric research worldwide.
It may not be secure. (Score:1)
Plenty of prior art in this area though, I'm afraid
Some users will have severe problems with this (Score:2)
Personally, I am really used to punch in my password(s) and I would not be surprised if other could imitate me simply by trying to input it very efficiently. I guess I would be able to obfuscate my password with some pauses
Re:Some users will have severe problems with this (Score:2, Funny)
> would not be surprised if other could imitate me simply by trying
> to input it very efficiently.
Me too, _except_ that I use a modified keyboard layout, which makes
certain things take different amounts of time than usual. (For
example, switching between upper and lower case is faster, because
shift is under a home position on my layout. OTOH, k is rather
out of the way and generates an extra pause before or after.)
I still prefer the l
Re:Some users will have severe problems with this (Score:1)
Re:Some users will have severe problems with this (Score:1)
I call it "Jonadabian". It's a custom layout of
my own design. I have an Avant keyboard, so I
can put any key in any position I want.
My layout is based on QWERTY, but there are some
quite important differences. Most notably, I
have shift and control under the home positions
of my left and right pinkies (respectively) so
that I don't have to hyperextend my pinkies every
two seconds. My pinkies used to hurt after a few
hours of using the computer, and now they don'
No free consultation for you. (Score:5, Insightful)
User Auditing (Score:3, Interesting)
yes, but... (Score:2, Funny)
or was it last week?
mortimer! how did you type 'depression' again? with a coffee break between the 'p' and the 'r'??
Absolutely!! (Score:1)
On a side note, this will help keep me off my computer while drunk too!!
20 values (Score:5, Informative)
-C
Re:20 values (Score:2)
And it would be a little pointless to only allow the past 20 _successful_ inputs, because they would all match the original fingerprint and no drift would occur.
Re:20 values (Score:2)
To millisecond accuracy? I don't think so. The verification algorithm has to accept each correct keypress within some margin of error; they won't all be exactly the same. Then the last 20 successful samples can be averaged and used as the baseline for new verifications each time.
Mr. Cracker either doesn't know the correct keys, or will be so far
Re:20 values (Score:1)
If they have physical access you're screwed anyway (Score:2)
Yeah, I remember that trick. It's called a boot disk [lostpassword.com].
I'm not sure if boot disks are "l33wt", but I know that if anyone has physical access to your machine, they can access your machine. This keystroke monitoring program is silly.
New keyboard (Score:2)
Won't work worth shite... (Score:2)
Try again...
Arthritis (Score:4, Interesting)
serious question (Score:2)
Re:serious question (Score:1)
I think it's not a bad idea, because it's based both on biometrics and something changeable (password). Any system based purely on biometrics does not allow for altering of the access "code" if it gets compromised.
Not if it's patented... (Score:2)
Otherwise, you're just another schmoe who thinks he's come up with something unique.
Input locality... Local or Remote (Score:3, Informative)
Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.
SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.
Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.
So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.
Keylogging still breaks it. (Score:2)
I was one of my super-paranoid thought paths the other day, and ended up trying to think of a way to restrict access.
Passwords are vulnerable to keylogging and snooping, your method would require that the keylogging/snooper timed the keystrokes - definately in the realm of possibility. Some sort of combined graphical/mouse/keyboard login would be more difficult, but snooping/screen captures/Van Eck freaking would do the trick. Biological measures would also be difficult, since you can be coerced into
Re:Keylogging still breaks it. (Score:2)
I suppose you could say its more difficult, but compared to actually doing Van Eck freaking in the first place, its only marginally more difficult. If you can freak VDUs, you can freak LCDs.
As for the initial problem of restricting access. If you want to ensure that nobody can
New password probs (Score:2)
At some point, you have to reset the timing. Say every n logons. But at that point, a cracker could reset the timming for you...:)
Re:New password probs (Score:2)
Sheesh (Score:1)
You are not everyone (Score:3, Interesting)
This is very typical of very bright, but narrow-minded people. What about people who don't touch type (gasp). What about if cut your finger and put a bandage over the end? What about people who don't always type the same way? I'm often eating or doing something else while I'm on the comptuer, and use [Backspace] more than any other key. I might have a burrito in my hand, and thus be typing with my pinkys.
And for those of you reading this comment, it's not just stuff like this, but any time you make something for more than just yourself you can't use your "ultimate" idea because it is only ultimate for you. For example, my mom organizes our pots & pans by when she bought them - she can find anything blindfolded, but none of the rest of us can find anything.
Remember, that if you're designing something for others, you're designing it for those that have trouble driving cars (how many of those people do you see every day?) and need to be told that food will be hot after microwaving.
Re:You are not everyone (Score:1)
Yeah, pr0n sites do that to me too.
I might have a burrito in my hand
That's the way you call it?
Oh Goody - more patents (Score:1)
Just becuase you can do it, doesn't mean you should get a patent on it.
my thesis (Score:2, Informative)
My work was to improve the results using a different neural network. I later used this work as the basi
Dogwalker (Score:2)
Reminds me of a story by Orson Scott Card [hatrack.com] called Dogwalker [frescopictures.com] . The protagonist is someone who groks passwords. He ends up caught because he got a password correct on the first try, which the owner never ever did.
patents? (Score:1)
I'm answering you with a broken wrist today (Score:1)
Actually, that should answer your question.
It's a cute idea. (Score:1)
Doesn't mean it doesn't have other applications though. Sounds like it might be a better measurement of typing speed than what most use. Perhaps it could add complexity to games as well.
Wasted money... (Score:1)
more prior art... (Score:1)
Those Who Do Not Do Research... (Score:1)
As others have mentioned, morse code users recognized the style of each other's signals a long time ago. Typing patterns have been used in various ways also; one of the less obvious was in decoding typed documents through spy transmitters which provided recorded audio of typing. Of course, Turing test tools have done the reverse when a computer emulated human typing for the purpose of seeming to be a human typist. An obv