4

It is well known that the analysis of the keyboard sound can reveal/hint at what keys were pressed when a password is typed.

One could mix in wrong characters (not belonging to the password) with strokes of Backspace, Arrows, Delete, Home, End, etc that in the end would remove these wrong characters and leave the original password in the field.

One example: I can type S and back-arrow in tandem (ok, S a little before the back-arrow). The caret now is behind the S. When I press delete, the S character is removed, making this a zero-sum stroke combination.

Assuming visual inspection is impossible (the attacker has "sound-only" data from the password typing), does this add any security?

Mindwin Remember Monica
  • 1,138
  • 1
  • 8
  • 15
  • 2
    Do you have reasons to believe someone would go thus far to get your password? This technique isn't trivial to pull off successfully, and I wouldn't be surprised if it only ever works in lab environments without much ambient noise. – André Borie Sep 28 '16 at 17:51
  • 3
    If they know the sound of s what makes you think they would not know the sound of back-arrow and know what it does? – paparazzo Sep 28 '16 at 18:20
  • @Paparazzi I don't know. That is why I tagged the question as such. – Mindwin Remember Monica Sep 28 '16 at 18:51
  • The attacker will still have all the chars you used on you password, and it's easier to iterate over a few chars than using all the possible chars on the ASCII (or UTF) table. – ThoriumBR Oct 03 '16 at 21:44

3 Answers3

3

I know some people that combine keyboard and mouse when typing passwords. They would type a piece of the password and then click moving the cursor between previously typed characters and insert new characters.

The idea is that the whole password is not typed in sequence. It is supposed to make keyloggers less effective.

Obviously this doesn't work with all password prompts.

stuffy
  • 166
  • 1
  • 6
  • It defeat all keyloggers either. In particular software can log mouse movements, and I'd be less likely to trust the software on a borrowed machine than the hardware. – Chris H Sep 29 '16 at 09:16
  • 1
    If an attacker knows the characters that a password is composed of, they can almost certainly reconstruct the password from it by trial and error. A 10-character password has fewer than 4 million possibilities, which is few enough to exhaustively search even if a slow hash (bcrypt/scrypt/argon2) was used. If it's a Diceware-style passphrase consisting of multiple words, it's likewise pretty easy to narrow the search down to a plausible list of words that only need be recombined in all possible orders. – Stephen Touset Oct 03 '16 at 21:49
0

This technic of password editing won't protect you against noise eavesdropping. The keyboard emitted sounds will carry all the editing keys.

This technic won't protect you against electromagnetic waves eavesdropping. The keyboard mother board electronic bus will carry all the editing keys keycodes.

But this technic will protect you of the neighbour spying upon your password typing over your shoulder. This technic will partially protect you against video surveillance cameras if you are aware of them and hide what you are typing.

dan
  • 3,043
  • 14
  • 35
  • what if Mindwin stored a section of his password in a text file and copied and pasted it into the password field or had a program that wrote that piece of text to the clipboard to be pasted into the password field and then typed the rest using the typing method described? That would defeat the noise and EM eavesdropping wouldn't it? – mcgyver5 Sep 28 '16 at 19:09
  • Maybe some keyloggers, also. And gosh, that sounds cool. [If only we had a tool like that](http://keepass.info/help/v2/autotype_obfuscation.html). – Ben Sep 28 '16 at 22:22
  • @mcgyver5 it wouldn't help with the logon password though – Chris H Sep 29 '16 at 09:16
0

If you are worried about an audio-only attack, step one is to do everything you can to secure your physical premises.

When dealing with keyboard snooping, know that typing cadence could be used; certain keystrokes and "words" are easier to type than others, so typing at a different speed or with a different position of your hands (e.g. rather than home row and touch-typing). This technique is used in certain setups in order to determine who is entering the pass phrase and if there is any possible duress.

To combat key loggers, I suggest using a soft keyboard. Move the soft keyboard’s window around periodically (and don’t put significant chunks of your pass phrase on the clipboard!) As a distraction, have a separate window to enter random text in between segments of your pass phrase (it doesn’t need to accept text; clicking outside the password box on a website should be sufficient). These techniques should also fare decently well against audio-only snooping and passive shoulder-surfing.

Regarding pass phrases that contain backspaces, deletes, and arrow keys, there are ways to make that work favorably as well. Consider a word-based system like correct horse battery staple. This is secure because each word represents about 100k possibilities, so the password has 66 bits of entropy (log₂(100k⁴)). However, if you manipulate those words into things that are not in dictionaries, your entropy increases. I wrote about how some of these can be calculated in another answer (TL;DR: multiply the number of permutations by 2⁶ once each for: L33t speak, raNdOM case, and errrorz).

Consider this scheme:

  1. Generate a 4-5 word pass phrase with completely unrelated words
  2. Press the Home key
  3. Enter a second password with each character delimited by a prescribed number of key presses (e.g. 1,1,1,1…; 0,2,0,2…; 1,3,1,3…; 1,2,3,1,2,3…; or even an initial 3 then 1,2,1,2…)
  4. Repeat the second password until you have reached the end

For example, correct horse battery staple plus the rare word troubador combine to become ctorrreoctu hborased boatrte ryt srtaoplue (I started with a left arrow press, moved two characters at a time, and put a space between the two instances of troubador).

When computing password entropy, always assume the worst-case scenario: that the attacker knows your password scheme. That means this password’s entropy comes from five words (100k⁵), times the ~4 options for where to start the final code, times the ~5 options movement patterns, yielding over 87 bits of entropy (log₂(100k⁵×4×5)).

A simpler example using correct horse battery plus staple starting immediately and moving three characters at a time becomes scortrecat hporsle beatt erys with 71 bits of entropy (vs the correct horse battery staple’s 66).

(This scheme may or may not fool a key logger. Because it messes with your typing patterns, it should fool an acoustic recorder, but I’m not an expert at those; maybe they are sensitive enough to recognize certain common keys?)

Be sure there is no length limit! Word-based passphrases only work with 14+ characters.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48