Debunking the myth of password security

November 4, 2016 by Nurfilzah Rohaidi

When U.S. presidential hopeful Hillary Clinton was found to have used a private email server for government business as Secretary of State, there was a collective gasp of disbelief. That disbelief quickly turned into horror when it was later revealed that she did not even protect her office computer with a password.

These lapses in computer security can be seen as downright negligent, in a time when major data breaches and leaks dominate international headlines on a regular basis. But it also draws attention to a more compelling question: just how secure are text-based passwords, really?

Associate Professor Gao Debin, a security researcher from the Singapore Management University (SMU) School of Information Systems, believes that there should be alternatives to the ubiquitous, text-based user authentication method. "People tend to pick simple, easy-to-crack passwords, such as their date of birth or worse, 'password'. These are not very secure, naturally leaving their computers and data vulnerable to the 'bad guys'," he says.

And this issue is a timely one. A recent massive data leak of 272.3 million email passwords by Russian hackers, which included scores of Google, Yahoo and Microsoft email accounts, was made possible by preying on less secure third-party websites whose users had recycled their email-password combinations.

Typing your way in

To address the growing concern of text-based password vulnerabilities, researchers have developed new methods of , such as keystroke biometrics. Keystroke biometrics captures typing patterns and rhythms as a means of identification. This concept is based on previous studies that show typing patterns are unique to each individual, and cannot be easily imitated.

However, gatekeeping via keyboard biometrics isn't foolproof, says Professor Gao, as attackers may attempt to imitate the typing patterns of their victim. The potential for this to happen is an area that Professor Gao is exploring in his research.

"Specifically, I work on attacks and defences. I look into new attacking techniques that the attacker would use in order to exploit a particular application," he says. "I also work on the defence mechanisms—how we can detect those attacks and stop them from happening."

Crafty as they are, attackers can infer the typing patterns of their victims in several ways. One scenario is Google Instant, a Javascript application which can be reverse engineered to reveal this information. Professor Gao and colleagues addressed this possibility in a conference proceedings paper, "Keystroke Timing Analysis of On-the-fly Web Apps", for the Applied Cryptography and Network Security: 11th International Conference 2013.

"When you type in a search query on Google, the result shows up immediately while you are typing, even before you hit the enter key or click on the search button. Therefore, for every single key that you press on the keyboard, there is a corresponding message being sent to the Google server," reveals Professor Gao, who adds that the same technology is being used on Facebook and Twitter, among other websites.

"Servers using such technology could potentially log down the timing of every single message, which would correspond precisely to your typing dynamics."

The imitation game

Inter-keystroke timing, or the time it takes between two consecutive key presses, is the most commonly used type of data for keystroke biometrics. Professor Gao and colleagues set out to question the "uniqueness property" of keystroke biometrics—the extent to which systems can be fooled by attackers imitating their victims' typing patterns.

Recruiting 84 SMU students as attackers, the researchers first gave each participant 30-45 minutes of training with a feedback software program, Mimesis, which they had developed. The program gives positive or negative feedback to the student so that, through incremental adjustments, they can closely imitate how their victim types.

Consider a scenario where a biometrics database is compromised; software such as Mimesis could be used to extract victims' typing parameters, which can then be used for malicious purposes.

"For example, it will tell you that the way that you type right now is slightly different from the victim's typing; or the inter-keystroke timing between A and S is shorter than what the victim types, so you better slow down a little bit when you are typing these two letters," Professor Gao elaborates.

The results show that when a victim's typing pattern is known, imitation is possible—contrary to the findings of previous studies. The students could easily log into systems by impersonating their would-be victims, and 14 of them managed to do so with an almost 100% success rate over a total of 200 attempts.

Interestingly, even if the attacker had partial information about their victim—perhaps a handful of typing samples captured by a key-logger as the victim is authenticating—they could nevertheless still achieve a reasonably high false acceptance rate.

Professor Gao presented this research at the 20th Annual Network & Distributed System Security Symposium 2013 in San Diego, California. His conference proceedings paper, "I Can Be You: Questioning the Use of Keystroke Dynamics as Biometrics", bagged the Best Paper Award.

Designing better, more usable interfaces

From their experiments, the researchers also learned a number of fascinating things: for one, the easier the , the easier the imitation. Male students were also found to be better than female students at imitation. However, various factors such as typing consistency, type of keyboard, and imitation strategy had much less influence on the imitation outcome than expected.

Findings such as these could potentially prompt a re-think of current keystroke biometrics-based authentication systems, Professor Gao believes. With his work, he hopes to spread awareness about the weaknesses of keystroke biometrics, allowing companies to configure their web services in such a way that provides functionality without compromising on end user privacy.

Explore further: Traditional keyboard sounds can be decoded, compromising privacy

Related Stories

Can typing habits prevent cybercrime?

September 11, 2015

New research published in Journal of Applied Security Research proposes a new keystroke algorithm which intends on making online authentication processes more secure, reliable, and cheap. The new method hopes to alleviate ...

Individual typing style gives key to user authentication

May 16, 2012

Your typing style is as individual as your fingerprints. Being able to use typing style to identify a change in users could be a vital security and forensic support for organisations such as banks, the military and universities, ...

Encryption method takes authentication to a new level

September 30, 2016

VTT Technical Research Centre of Finland has developed new kinds of encryption methods for improving the privacy protection of consumers to enable safer, more reliable and easier-to-use user authentication than current systems ...

Google eyes shift from passwords sooner than you may think

May 29, 2016

Is this a dream or an answer to yours? Is Google really set to kill the password on Android—in 2016? Wait, that is this year. The headlines are not a dream. Google is to ditch passwords in favor of a biometrics means for ...

Better passwords get with the beat

May 17, 2011

No password is 100% secure. There are always ways and means for those with malicious intent to hack, crack or socially engineer access to a password. Indeed, there are more and more websites and databases compromised on a ...

Recommended for you

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

26 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

dogbert
3 / 5 (2) Nov 04, 2016
Passwords are certainly not as secure as they could be. It seems that every site requires a password that is 8 to 12 characters containing upper and lower case, a numeral and a punctuation symbol. These rules result in passwords which are difficult to remember, difficult to enter and fairly easy to brute force.

Allowing and encouraging longer, simple statements for passwords would seem much better.

"Mary Ann feeds her pony, Rose, red bell peppers and lettuce." Would be much easier to remember and enter and is large enough to make discovery very difficult.
dogbert
Nov 04, 2016
This comment has been removed by a moderator.
Code_Warrior
5 / 5 (2) Nov 04, 2016
It's not that difficult to create unique passwords for each site that are secure. Divide your password up into 3 segments. For the first segment, choose some feature, known only to you, that all accounts have in common - for example, choosing the nth letter of each word in a short phrase that has meaning to you for the account. You use that feature to create a mnemonic that's easy to reproduce, naturally varies in length, and produces a unique character sequence for each account. The next segment is a common segment used on all accounts that contains a random combination of upper and lowercase letters, numbers, and/or special characters that you memorize. The last segment is an index segment that you can use to vary the password for those accounts that force frequent password changes.

While no password scheme is completely secure, using such a scheme increases your password security immensely by guaranteeing uniqueness without requiring memorization of multiple passwords.
Ultron
1 / 5 (2) Nov 04, 2016
Passwords are certainly not as secure as they could be. It seems that every site requires a password that is 8 to 12 characters containing upper and lower case, a numeral and a punctuation symbol. These rules result in passwords which are difficult to remember, difficult to enter and fairly easy to brute force.

Allowing and encouraging longer, simple statements for passwords would seem much better.

"Mary Ann feeds her pony, Rose, red bell peppers and lettuce." Would be much easier to remember and enter and is large enough to make discovery very difficult.


You know, brute force needed to crack password is increasing geometrically, meaning that even with basic characters, you are safe somewhere beyond 12 characters from ordinary people, and beyond like 15 characters you are safe from government. Naturally only in case of reasonable encryption and no backdoor. Also your password should not be some common type which can be exploited by vocabulary.
antigoracle
3.7 / 5 (3) Nov 04, 2016
Any passcode is better than none. http://www.dailym...000.html
nm67
not rated yet Nov 04, 2016
Technology is finally sophisticated enough to fix the weaknesses of traditional passwords.

Introducing a breakthrough digital security innovation : Graphic Access Tabular Entry [ GATE ], an interception-proof authentication and encryption system and method. With the GATE system you are not afraid that you are watched when you enter passwords, and you are not afraid that the password will be intercepted, the GATE innovative method is designed to be peek-proof and interception-proof.

A utility patent has just been granted for this breakthrough technology, for detailed information, go to : nmjava.com/gate

The GATE system and method will offer you better digital security.
B Fast
5 / 5 (2) Nov 04, 2016
Keystroke biometrics is the dumbest, stupidest, most idiotic way of confirming that you are you. I mean, like, you are in a car accident and injure your hand. Now you can't unlock your cell phone, or connect with anything because your timing is all different!? Or you just got really bad news, or really good news -- are your emotions going to affect your biometrics? If not, then the biometric system isn't very sensitive.
luke_w_bradley
1 / 5 (1) Nov 04, 2016
"and beyond like 15 characters you are safe from government. "

The NSA can hack all the SSL connections that keep the Internet secure(1), so value of these passwords on the Internet is questionable. Honestly, we'd be a lot better off if we embraced that fact and did our logins through an NSA service, like you can do with Google and Oauth2. Google knows device locations, identities and all this stuff to ensure secure login, and sends a text to your phone to verify ones they aren't sure of. How much better could the NSA do it with all they know?

1) http://www.zdnet....eak-ssl/
antigoracle
not rated yet Nov 05, 2016
Google knows device locations, identities and all this stuff to ensure secure login, and sends a text to your phone to verify ones they aren't sure of. How much better could the NSA do it with all they know?

LOL.
Trusting Google with your information, you may as well just post it on social media for everyone to see.
luke_w_bradley
1 / 5 (1) Nov 05, 2016
"LOL.
Trusting Google with your information, you may as well just post it on social media for everyone to see."

That's the downside. If Google wants to log a stranger in with your credentials in that scheme, they can. But you have to admit, if they WANT you to have security, you will. They have so much data to validate a user, its easy for them. I mean, they send a text to my phone, and see my phone is sitting in my kitchen, even use my phones cam. That's the way to go, all you need is a trusted source to do it. Since unlike Google the NSA has all the power to get into things and pick all the locks anyway, why not let them manage the keys?
gkam
1 / 5 (4) Nov 05, 2016
I trust the NSA like I trust the FBI. Our intelligence and investigative agencies are now politically corrupted. The Bush administration got caught using the NSA for illegal spying on us, and it was not for "saving" us from anybody.

We need to get rid of them and start over.
Uncle Ira
3 / 5 (4) Nov 05, 2016
I trust the NSA like I trust the FBI. Our intelligence and investigative agencies are now politically corrupted. The Bush administration got caught using the NSA for illegal spying on us, and it was not for "saving" us from anybody.
So now you are classified security expert too?

We need to get rid of them and start over.
How are you going to do that? Geeze glam-Skippy, do you ever thing past the one stoned thought that pops into your head? Cher, just getting "rid of them" (100's of thousands of peoples)?

Please, I am begging you, please tell me how the finances, logistics, and dealing with crime, are going to work.

And if you have any time left over,,, please tell me how the finances, logistics and training of the starting over peoples is going to work.
gkam
1 / 5 (3) Nov 05, 2016
Please go back to Twitter, "Ira".

The CIA got caught spying on their overseers and the DOJ and the FBI seem to be corrupted. We need an investigation to root out politics. ABC News outed the NSA for illegally spying on us from room 641A, but nothing was done because it was the Dubya Bush Crime Organization which did it.

And stop begging.
Uncle Ira
3 / 5 (4) Nov 05, 2016
Please go back to Twitter, "Ira".

The CIA got caught spying on their overseers and the DOJ and the FBI seem to be corrupted. We need an investigation to root out politics. ABC News outed the NSA for illegally spying on us from room 641A, but nothing was done because it was the Dubya Bush Crime Organization which did it.

And stop begging.


So you are saying that "get rid of them and start over" was just for effect and you don't have any idea how you could actually go about it? No wonder we shouldn't trust you with secret information. (And putting up all your personal information for everybody on the interweb does not exactly give much confidence in your "experiences" in spy security stuffs.)
gkam
1 / 5 (3) Nov 05, 2016
"No wonder we shouldn't trust you with secret information."
-------------------------------

You don't have any, "Ira".

And since my clearance has expired, I do not have any "secret" (we call it "classified"), information, either.

Uncle Ira
3 / 5 (4) Nov 05, 2016
And since my clearance has expired, I do not have any "secret" (we call it "classified"), information, either.


Well okay, I'll bite. Just this once though, okayeei?

What is the clearance that expired? Is it like a license you didn't get renewed on time? And what is the difference between secret informations and classified informations? Maybe one is better than the other one or something entire different.
gkam
1 / 5 (3) Nov 05, 2016
One is the crypto clearance. When I left the group, I signed the form saying I was no longer cleared for cryptographic technology and information. I really do not need it, having no cryptographic equipment of my own. How about you? What you got?
Uncle Ira
3 / 5 (4) Nov 05, 2016
One is the crypto clearance.
Well that sounds good, but it don't explain the difference between secret and what you call classified

When I left the group, I signed the form saying I was no longer cleared for cryptographic technology and information. I really do not need it, having no cryptographic equipment of my own.
Well that's real nice. You still are not answering what difference is.

How about you?
I'm good, thanks for asking.

What you got?
The same question I started with.

Oh yeah, I almost forget. Were you clearanced for knowing about the Dog-Poo-SID project? Or was that one above your class?
gkam
1 / 5 (3) Nov 05, 2016
Your interest in canine excrement is no surprise.

But why are you following me around the internet? Got no life of your own?
someone11235813
not rated yet Nov 06, 2016
So many brilliant password 'solutions' that get ever more complex and easy to mix up. If you need lots of passwords just use a secure password manager that can generate ridiculously complex passwords and then use Diceware to create an easy to remember uncrackable password for the password manager. I can't see any other way until fingerprint scanners are on all computers.
Uncle Ira
3 / 5 (4) Nov 06, 2016
Your interest in canine excrement is no surprise.
I did not make that up. It was a real thing from back in the 60's in the Vietnam war.

But why are you following me around the internet?
Cher, how can I be following you when I was here before you? Skippy you are really bad at the interweb bickering stuffs.

Got no life of your own?
Yeah, same as you. You don't see me trying to tell you to go away. You act like you want the physorg to be your own private place where no is allowed to notice how goofy you are. The only place that is going to happen is the privacy of your own home (as long as you got the will power to not turn on the interweb and not act goofy where the neighbors can see you.)

Cher, if you don't like how peoples see you, show them something different because the Commander McBragg approach has been scientifically empirically irrefutably shown to be a technique you don't know how to make work.
gkam
1 / 5 (3) Nov 06, 2016
"You act like you want the physorg to be your own private place where no is allowed to notice how goofy you are."
---------------------------------------

Voting for Trump? You speak just like him, accusing others of having your character.

I discuss science, while you discuss me. Grow up.
Uncle Ira
3 / 5 (4) Nov 06, 2016
Voting for Trump?
Non, I already voted. I vote the straight Democrat ticket 99% of the time, like I did this time too.

You speak just like him, accusing others of having your character.
It's not working Cher. Accusing others of doing what you do and hoping nobody will notice.

I discuss science, while you discuss me.
See what I mean. Are you hoping that will cause peoples not to notice that you discuss you almost all the time? Your "experiences" is what makes you so much misere Cher.

Grow up.
See there? You can not help your self.
gkam
1 / 5 (3) Nov 06, 2016
Going upstream?

Start poling.

Meanwhile, let's keep to the topics. Your adolescent fixation on me will fade when you grow up and see there is an entire world out there.

Even more interesting than me.
stg
5 / 5 (1) Nov 07, 2016
If you want to use secure passwords (and you do) then you need to get out of the habit of trying to remember them. Your passwords need to be impossible to memorise. That way you'll be safe. Here's how you convert something that you can remember (a pattern) into something that you can't remember (endless strong and unique passwords) - passwordcoach.com.
hawkingsbrother
Nov 08, 2016
This comment has been removed by a moderator.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.