Scary AI recognizes passwords by the sound of your typing (opens in new tab)

(pcworld.com)

34 pointsgrammers2y ago26 comments

26 comments

I read about this in the Silence on the Wire by Michal Zalewski. And you don't need a fullblown AI, a good statistical model is enough to make a guess on passwords, and if you have a bunch of probabilities to cut down your search space to a more probable set. And the book is from 2005, so I wouldn't say it is new. https://nostarch.com/silence.htm

I even remember reading about how Clifford Stoll recognized the different attackers by "typing rhythm" in Cuckoo's Egg.

hprotagonist2y ago

“fist recognition” is at least as old as morse code.

https://en.wikipedia.org/wiki/Keystroke_dynamics

flir2y ago

Earliest reference I know is to a TLA bugging plaintext teletype printers in The Hacker's Handbook, Hugo Cornwall, 1985.

nocsi2y ago

This is why I use a separate keyboard to type in my password. If you don’t have a dedicated keyboard, then I suggest you have a loved one come over to enter your passwords for you. Sometimes I have my kid do it

undersuit2y ago

Just randomly change the weight of your switches on your custom mechanical keyboard every 10000 keystrokes to keep the AI guessing.

mplewis2y ago

I type each key on a different keyboard. But the AI has started to guess the order of the keyboards that I use.

Brajeshwar2y ago

I would love to understand the joke behind this. My sarcasm level is not to this level to understand this one. Any references that I can read to catch up?

What about a virtual keyboard on the screen? What if we have our custom-built virtual keyboard with random arrangements of keys every time I want to type a Password?

belter2y ago

No details about what specific study they are referring to. These attacks are possible for several years now.

2016 - "Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP" - https://arxiv.org/abs/1609.09359

2020 - "Behavioral Acoustic Emanations: Attack and Verification of PIN Entry Using Keypress Sounds" - https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7309150/

Maybe they mean this one...

2023 - "A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards" - https://arxiv.org/abs/2308.01074

firecall2y ago

And just today there is a post about the Sneakers Movie Promotional Floppy!

Now, from memory I’m pretty sure there is a scene where the visually impaired / blind Hacker can work out the password by listening to the audio on the surveillance tape!

I’m probably mangling my memory of the scene, so please correct me! :-)

https://news.ycombinator.com/item?id=38585213

sublinear2y ago

Wasn't it on-screen keyboards that were the mitigation against keyloggers way back in the day?

thot_experiment2y ago

Does anyone know what the SotA foss local demo of something like this is? I'd really like to try and understand first hand what the limitations are.

Freedom22y ago

This is why I don't type and dictate my passwords using voice. Never been broken into once!

rvz2y ago

Just use a passkey or U2F device. No password at all.

Job done.

Erratic65762y ago

Don’t type passwords. Use 2FA whenever possible

com2kid2y ago

Do both.

Biometric to unlock phone, PIN to load 2FA auth app, and a password to actually login.

Actually, I am reminded of the 00s when companies used to have badges and badge readers you'd take home and plugin to your machine and you had to use those to authenticate connections.

Password + physical token. It was secure, but not convenient if you left your badge behind somewhere.

It wasn't wireless, no worries about snooping.

When it did work, it was magic. My Active Directory credentials automatically carried over between machines, across networks, for debugging purposes to dev boxes, and I was even able to step from C# code running locally into a stored procedures on a remove SQL server all from within (the OG) Visual Studio.

Nothing works anything near that well anymore. :(

(Show of hands, who here reading this can start debugging their staging environment databases from within their IDE, with a single button press?)

ianburrell2y ago

2FA is password (something you know) and device (something that you have). You have to enter the password to use 2FA.

Are you thinking of password manager? Most password managers involve entering the master password. Some can open with fingerprint but need to use the password occasionally.

Are you thinking about passkeys? Those aren’t 2FA.

LightHugger2y ago

I suspect he's thinking of just straight up using an authenticator instead of a password, which i should remind people is 1FA.

1 more reply

thot_experiment2y ago

No thanks, I'd rather keep my secrets unbound from any physical object.

dharmab2y ago

My 2FA OTPs are synced by 1Password which I can access from any of my devices; you can set up something similar with FOSS if you want full control. Authenticating to 1Password requires both a master password and a secret key; they have a feature called "Emergency Kit" for creating offline backups of the key (https://support.1password.com/emergency-kit/)

1 more reply

airstrike2y ago

Your password can still be a secret unbound from any physical object. This is just a second layer, so I don't really see the downside

EDIT: I guess you're right in that the parent was suggesting NOT typing passwords and sort of equating that to 2FA. so yeah, I like to keep one password in my head only (for sensitive stuff) and use a second factor if possible

1 more reply

Erratic65762y ago

Certain crucial passwords can be kept in the memory. There are thousands of menial logins though and a password manager might be more reliable than the memory

j / k navigate · click thread line to collapse

26 comments

JanneVee2y ago

I even remember reading about how Clifford Stoll recognized the different attackers by "typing rhythm" in Cuckoo's Egg.

hprotagonist2y ago

“fist recognition” is at least as old as morse code.

https://en.wikipedia.org/wiki/Keystroke_dynamics

flir2y ago

Earliest reference I know is to a TLA bugging plaintext teletype printers in The Hacker's Handbook, Hugo Cornwall, 1985.

nocsi2y ago

undersuit2y ago

Just randomly change the weight of your switches on your custom mechanical keyboard every 10000 keystrokes to keep the AI guessing.

mplewis2y ago

I type each key on a different keyboard. But the AI has started to guess the order of the keyboards that I use.

Brajeshwar2y ago

I would love to understand the joke behind this. My sarcasm level is not to this level to understand this one. Any references that I can read to catch up?

What about a virtual keyboard on the screen? What if we have our custom-built virtual keyboard with random arrangements of keys every time I want to type a Password?

belter2y ago

No details about what specific study they are referring to. These attacks are possible for several years now.

2016 - "Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP" - https://arxiv.org/abs/1609.09359

2020 - "Behavioral Acoustic Emanations: Attack and Verification of PIN Entry Using Keypress Sounds" - https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7309150/

Maybe they mean this one...

2023 - "A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards" - https://arxiv.org/abs/2308.01074

firecall2y ago

And just today there is a post about the Sneakers Movie Promotional Floppy!

Now, from memory I’m pretty sure there is a scene where the visually impaired / blind Hacker can work out the password by listening to the audio on the surveillance tape!

I’m probably mangling my memory of the scene, so please correct me! :-)

https://news.ycombinator.com/item?id=38585213

sublinear2y ago

Wasn't it on-screen keyboards that were the mitigation against keyloggers way back in the day?

thot_experiment2y ago

Does anyone know what the SotA foss local demo of something like this is? I'd really like to try and understand first hand what the limitations are.

Freedom22y ago

This is why I don't type and dictate my passwords using voice. Never been broken into once!

rvz2y ago

Just use a passkey or U2F device. No password at all.

Job done.

Erratic65762y ago

Don’t type passwords. Use 2FA whenever possible

com2kid2y ago

Do both.

Biometric to unlock phone, PIN to load 2FA auth app, and a password to actually login.

Actually, I am reminded of the 00s when companies used to have badges and badge readers you'd take home and plugin to your machine and you had to use those to authenticate connections.

Password + physical token. It was secure, but not convenient if you left your badge behind somewhere.

It wasn't wireless, no worries about snooping.

Nothing works anything near that well anymore. :(

(Show of hands, who here reading this can start debugging their staging environment databases from within their IDE, with a single button press?)

ianburrell2y ago

2FA is password (something you know) and device (something that you have). You have to enter the password to use 2FA.

Are you thinking of password manager? Most password managers involve entering the master password. Some can open with fingerprint but need to use the password occasionally.

Are you thinking about passkeys? Those aren’t 2FA.

LightHugger2y ago

I suspect he's thinking of just straight up using an authenticator instead of a password, which i should remind people is 1FA.

1 more reply

thot_experiment2y ago

No thanks, I'd rather keep my secrets unbound from any physical object.

dharmab2y ago

1 more reply

airstrike2y ago

Your password can still be a secret unbound from any physical object. This is just a second layer, so I don't really see the downside

1 more reply

Erratic65762y ago

Certain crucial passwords can be kept in the memory. There are thousands of menial logins though and a password manager might be more reliable than the memory

j / k navigate · click thread line to collapse