Better passwords get with the beat

May 17, 2011

No password is 100% secure. There are always ways and means for those with malicious intent to hack, crack or socially engineer access to a password. Indeed, there are more and more websites and databases compromised on a seemingly daily basis. A new approach to verifying passwords that also takes into account the speed with which a user types in their login and the gaps between characters would render a stolen password useless.

Writing in the International Journal of Internet Technology and Secured Transactions computer scientists from Beirut explain the shortcomings of previous attempts at key-pattern analysis. KPA is an attempt to scrutinize the speed with which a user taps the keys as well as measuring the gaps between keystrokes, the beat of their typing. KPA has also been tested with modified keyboards that measure the force with which keys are pressed. The result can be a biometric profile of the way an individual user types in their password. If the biometric does not match the user then the password fails even if it is "correct".

Ravel Jabbour, Wes Masri and Ali El-Hajj of the American University of Beirut, in Lebanon, point out how inconvenient a modified keyboard would be to an organization or individual. They explain how previous attempts at KPA fail if the pressing of two keys overlaps. Early efforts also focus on "inter" timing, the time lag between pressing one key and the next, which is not adequate to ensure a password is usable only by the legitimate user. The team instead has incorporated "intra" timing that measures how long each key remains depressed, which they say gives them the beat of the typing and is a much more robust parameter.

The program gathers information about how the user is typing in their password by recording the electronic signals from a standard keyboard as keys are pressed and released. The program then compares the pattern of the password typed with a pre-stored pattern recorded when the account is initially setup. A user would be expected to repeatedly type their password at the login registration stage to record a reproducible typing pattern. The validation algorithm then looks at the various parameters, intra and inter timing the relationships between two keys (digraph), three keys (trigraph) and up to the number of keys that are the password length.

Obviously, a longer password will provide a more complicated profile of the person's typing and so reduce the risk of the typing of anyone else typing the password with the same timing pattern as the legitimate user. There is a trade-off, of course, too long a password and even a legitimate user is unlikely to reproduced their typing pattern accurately every time they enter the password. Password distribution can also be accommodated for by creating KPA groups for the same password for those users eager to share their passwords with friends and colleagues without impinging on the security of the system, the team says.
"Optimising password security through key-pattern analysis" in Int. J. Internet Technology and Secured Transactions, 2011, 3, 178-193

Inderscience Publishers

Related Password Articles from Brightsurf:

No keys to the kingdom: New single sign-on algorithm provides superior privacy
Single sign-on systems (SSOs) allow us to login to multiple websites and applications using a single username and password combination.

Researchers expose vulnerabilities of password managers
Researchers at the University of York have shown that some commercial password managers may not be a watertight way to ensure cyber security.

'Inconsistent and misleading' password meters could increase risk of cyber attacks
With the worst passwords of 2019 now revealed, and technology topping many festive wish lists, a new study by the University of Plymouth assessed the effectiveness of password meters that people are likely to use or encounter on a regular basis.

Anonymous yet trustworthy
Minority and dissident communities face a perplexing challenge in countries with authoritarian governments.

Stringent password policies help prevent fraud, study finds
An Indiana University study finds stringent password rules that encourage longer and more complicated passwords significantly lower the risk of personal data breaches, especially among employees at large organizations that handle sensitive data, like universities.

Bacteria's password for sporulation hasn't changed in 2.7 billion years
When it comes to changing their passwords, bacteria are just as bad as you and me -- maybe even worse.

Do you know why and how you forget passwords?
Do you frequently forget passwords to a baffling array of accounts and websites?

Password managers vulnerable to insider hacking
A new study shows that communication channels between different parts and pieces of computer software are prone to security breaches.

Security gaps identified in Internet protocol 'IPsec'
In collaboration with colleagues from Opole University in Poland, researchers at Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum (RUB) have demonstrated that the Internet protocol 'IPsec' is vulnerable to attacks.

Decade of research shows little improvement in websites' password guidance
Leading brands including Amazon and Wikipedia are failing to support users with advice on how to securely protect their data, a study shows.

Read More: Password News and Password Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to