Better passwords get with the beat

May 17, 2011

No password is 100% secure. There are always ways and means for those with malicious intent to hack, crack or socially engineer access to a password. Indeed, there are more and more websites and databases compromised on a seemingly daily basis. A new approach to verifying passwords that also takes into account the speed with which a user types in their login and the gaps between characters would render a stolen password useless.

Writing in the International Journal of and Secured Transactions from Beirut explain the shortcomings of previous attempts at key-pattern analysis. KPA is an attempt to scrutinize the speed with which a user taps the keys as well as measuring the gaps between keystrokes, the beat of their typing. KPA has also been tested with modified keyboards that measure the force with which keys are pressed. The result can be a biometric profile of the way an individual user types in their . If the biometric does not match the user then the password fails even if it is "correct".

Ravel Jabbour, Wes Masri and Ali El-Hajj of the American University of Beirut, in Lebanon, point out how inconvenient a modified keyboard would be to an organization or individual. They explain how previous attempts at KPA fail if the pressing of two keys overlaps. Early efforts also focus on "inter" timing, the time lag between pressing one key and the next, which is not adequate to ensure a password is usable only by the legitimate user. The team instead has incorporated "intra" timing that measures how long each key remains depressed, which they say gives them the beat of the typing and is a much more robust parameter.

The program gathers information about how the user is typing in their password by recording the electronic signals from a standard keyboard as keys are pressed and released. The program then compares the pattern of the password typed with a pre-stored pattern recorded when the account is initially setup. A user would be expected to repeatedly type their password at the login registration stage to record a reproducible typing pattern. The validation algorithm then looks at the various parameters, intra and inter timing the relationships between two keys (digraph), three keys (trigraph) and up to the number of keys that are the password length.

Obviously, a longer password will provide a more complicated profile of the person's typing and so reduce the risk of the typing of anyone else typing the password with the same timing pattern as the legitimate user. There is a trade-off, of course, too long a password and even a legitimate user is unlikely to reproduced their typing pattern accurately every time they enter the password. Password distribution can also be accommodated for by creating KPA groups for the same password for those users eager to share their passwords with friends and colleagues without impinging on the security of the system, the team says.

Explore further: Cutting the cloud computing carbon cost

More information: "Optimising password security through key-pattern analysis" in Int. J. Internet Technology and Secured Transactions, 2011, 3, 178-193

Related Stories

So many passwords, so little memory

Apr 15, 2009

How many keys are on your keychain? I just looked at mine and counted nine keys. And that's not counting the bulky little remote control key fob that locks and unlocks my car. I've tried to consolidate my keys by making one ...

Tired of Passwords? Replace Them With Your Fingerprint

Sep 14, 2004

If you're like most people, you have more than a dozen passwords and user names to remember. Whether you're checking your e-mail for new messages, catching up on the news, posting to a Web discussion group, ...

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Recommended for you

Cutting the cloud computing carbon cost

Sep 12, 2014

Cloud computing involves displacing data storage and processing from the user's computer on to remote servers. It can provide users with more storage space and computing power that they can then access from anywhere in the ...

Teaching computers the nuances of human conversation

Sep 12, 2014

Computer scientists have successfully developed programs to recognize spoken language, as in automated phone systems that respond to voice prompts and voice-activated assistants like Apple's Siri.

Mapping the connections between diverse sets of data

Sep 12, 2014

What is a map? Most often, it's a visual tool used to demonstrate the relationship between multiple places in geographic space. They're useful because you can look at one and very quickly pick up on the general ...

Google team rises to 2014 visual recognition challenge

Sep 08, 2014

Google's Christian Szegedy, software engineer, blogged Friday about GoogleNet's entry into a visual recognition challenge, the results of which indicate improvements in the state of machine vision technology. ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (3) May 17, 2011
Sometimes if I log in at a different computer and so a different keyboard and seating position, I find that I might get my password wrong on the first attempt and sometimes the second attempt too. I'll then enter it much more slowly and methodically so as to ensure that I get it correct and not be locked out. I could see a timing system of this nature being very frustrating, I sincerely hope they would give additional attempts and use a number of different keyboards during their studies.

I also wonder how the additional strength provided by the timing fairs against simply making the password longer? (Especially if this method must provide more attempts.)
5 / 5 (3) May 17, 2011
This sounds rediculous. So, so many reasons why you shouldnt do this. What if you are drunk? What if you injured a finger, on and on the list goes. I guarantee this will be a disaster for anyone who tries to use it. I almost Never have the same rhythm to my password. Just use biometric scanning instead!