{"id":10427,"date":"2016-11-07T09:38:47","date_gmt":"2016-11-07T09:38:47","guid":{"rendered":"http:\/\/revoscience.com\/en\/?p=10427"},"modified":"2022-08-15T14:30:59","modified_gmt":"2022-08-15T08:45:59","slug":"debunking-the-myth-of-password-security","status":"publish","type":"post","link":"https:\/\/www.revoscience.com\/en\/debunking-the-myth-of-password-security\/","title":{"rendered":"Debunking the myth of password security"},"content":{"rendered":"\n

As online security becomes more complex, we need to look beyond text-based user authentication to keep the \u2018bad guys\u2019 out, says a researcher at the Singapore Management University (SMU).<\/strong><\/em><\/p>\n\n\n\n

SMU Office of Research & Tech Transfer \u2013 When U.S. presidential hopeful Hillary Clinton was found to have used a private email server for government business as Secretary of State, there was a collective gasp of disbelief. That disbelief quickly turned into horror when it was later revealed that she did not even protect her office computer with a password.<\/span><\/p>\n\n\n\n

These lapses in computer security can be seen as downright negligent, in a time when major data breaches and leaks dominate international headlines on a regular basis. But it also draws attention to a more compelling question: just how secure are text-based passwords, really?<\/span><\/p>\n\n\n\n

Associate Professor Gao Debin, a security researcher from the Singapore Management University (SMU) School of Information Systems, believes that there should be alternatives to the ubiquitous, text-based user authentication method. \u201cPeople tend to pick simple, easy-to-crack passwords, such as their date of birth or worse, \u2018password\u2019. These are not very secure, naturally leaving their computers and data vulnerable to the \u2018bad guys\u2019,\u201d he says.<\/span>

And this issue is a timely one. A recent massive data leak of 272.3 million email passwords by Russian hackers, which included scores of Google, Yahoo and Microsoft email accounts, was made possible by preying on less secure third-party websites whose users had recycled their email-password combinations.<\/span>

Typing your way in<\/strong><\/span>

To address the growing concern of text-based password vulnerabilities, researchers have developed new methods of user authentication, such as keystroke biometrics. Keystroke biometrics captures typing patterns and rhythms as a means of identification. This concept is based on previous studies that show typing patterns are unique to each individual, and cannot be easily imitated.<\/span>

However, gatekeeping via keyboard biometrics isn\u2019t foolproof, says Professor Gao, as attackers may attempt to imitate the typing patterns of their victim. The potential for this to happen is an area that Professor Gao is exploring in his research.<\/span>

\u201cSpecifically, I work on attacks and defences. I look into new attacking techniques that the attacker would use in order to exploit a particular application,\u201d he says. \u201cI also work on the defence mechanisms\u2014how we can detect those attacks and stop them from happening.\u201d<\/span>

Crafty as they are, attackers can infer the typing patterns of their victims in several ways. One scenario is Google Instant, a Javascript application which can be reverse engineered to reveal this information. Professor Gao and colleagues addressed this possibility in a conference proceedings paper, \u201cKeystroke Timing Analysis of On-the-fly Web Apps\u201d, for the Applied Cryptography and Network Security: 11th International Conference 2013.<\/span>

\u201cWhen you type in a search query on Google, the result shows up immediately while you are typing, even before you hit the enter key or click on the search button. Therefore, for every single key that you press on the keyboard, there is a corresponding message being sent to the Google server,\u201d reveals Professor Gao, who adds that the same technology is being used on Facebook and Twitter, among other websites.<\/span>

\u201cServers using such technology could potentially log down the timing of every single message, which would correspond precisely to your typing dynamics.\u201d<\/span>

The imitation game<\/strong><\/span>

Inter-keystroke timing, or the time it takes between two consecutive key presses, is the most commonly used type of data for keystroke biometrics. Professor Gao and colleagues set out to question the \u201cuniqueness property\u201d of keystroke biometrics\u2014the extent to which systems can be fooled by attackers imitating their victims\u2019 typing patterns.<\/span>

Recruiting 84 SMU students as attackers, the researchers first gave each participant 30-45 minutes of training with a feedback software program, Mimesis, which they had developed. The program gives positive or negative feedback to the student so that, through incremental adjustments, they can closely imitate how their victim types.<\/span>

Consider a scenario where a biometrics database is compromised; software such as Mimesis could be used to extract victims\u2019 typing parameters, which can then be used for malicious purposes.<\/span>

\u201cFor example, it will tell you that the way that you type right now is slightly different from the victim\u2019s typing; or the inter-keystroke timing between A and S is shorter than what the victim types, so you better slow down a little bit when you are typing these two letters,\u201d Professor Gao elaborates.<\/span>

The results show that when a victim\u2019s typing pattern is known, imitation is possible\u2014contrary to the findings of previous studies. The students could easily log into systems by impersonating their would-be victims, and 14 of them managed to do so with an almost 100% success rate over a total of 200 attempts.<\/span>

Interestingly, even if the attacker had partial information about their victim\u2014perhaps a handful of typing samples captured by a key-logger as the victim is authenticating\u2014they could nevertheless still achieve a reasonably high false acceptance rate.<\/span>

Professor Gao presented this research at the 20th Annual Network & Distributed System Security Symposium 2013 in San Diego, California. His conference proceedings paper, \u201cI Can Be You: Questioning the Use of Keystroke Dynamics as Biometrics\u201d, bagged the Best Paper Award.<\/span>

Designing better, more usable interfaces<\/strong><\/span>

From their experiments, the researchers also learned a number of fascinating things: for one, the easier the password, the easier the imitation. Male students were also found to be better than female students at imitation. However, various factors such as typing consistency, type of keyboard, and imitation strategy had much less influence on the imitation outcome than expected.<\/span>

Findings such as these could potentially prompt a re-think of current keystroke biometrics-based authentication systems, Professor Gao believes. With his work, he hopes to spread awareness about the weaknesses of keystroke biometrics, allowing companies to configure their web services in such a way that provides functionality without compromising on end user privacy.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

As online security becomes more complex, we need to look beyond text-based user authentication to keep the \u2018bad guys\u2019 out, says a researcher at the Singapore Management University (SMU).<\/p>\n","protected":false},"author":6,"featured_media":10428,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43,17],"tags":[],"class_list":["post-10427","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computer-science","category-research"],"featured_image_urls":{"full":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"thumbnail":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988-150x150.jpg",150,150,true],"medium":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"medium_large":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"large":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"1536x1536":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"2048x2048":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"ultp_layout_landscape_large":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"ultp_layout_landscape":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"ultp_layout_portrait":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"ultp_layout_square":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"newspaper-x-single-post":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"newspaper-x-recent-post-big":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"newspaper-x-recent-post-list-image":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",95,63,false],"web-stories-poster-portrait":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",300,200,false],"web-stories-publisher-logo":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",96,64,false],"web-stories-thumbnail":["https:\/\/www.revoscience.com\/en\/wp-content\/uploads\/2016\/11\/3988.jpg",150,100,false]},"author_info":{"info":["Amrita Tuladhar"]},"category_info":"Computer Science<\/a> Research<\/a>","tag_info":"Research","comment_count":"0","_links":{"self":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/posts\/10427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/comments?post=10427"}],"version-history":[{"count":0,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/posts\/10427\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/media\/10428"}],"wp:attachment":[{"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/media?parent=10427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/categories?post=10427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.revoscience.com\/en\/wp-json\/wp\/v2\/tags?post=10427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}