Secure Passwords with a Beat

Tuesday, May 17, 2011 @ 05:05 PM gHale

Passwords are the beginning of a solid security posture. It’s very simple, a complicated password means your system is secure. But there are always ways and means for those with malicious intent to hack, crack or socially engineer access to a password.

There is now a new approach to verifying passwords that also takes into account the speed with which a user types in their login and the gaps between characters would render a stolen password useless.

That is where Key Pattern Analysis (KPA) comes into play. Previous efforts in KPA have not turned out in a positive manner, but computer scientists from Beirut now understand the shortcomings of previous attempts.

KPA is an attempt to scrutinize the speed with which a user taps the keys as well as measuring the gaps between keystrokes, the beat of their typing. Experts also tested KPA with modified keyboards that measure the force with which a user presses the keys. The result can be a biometric profile of the way an individual user types in their password. If the biometric does not match the user then the password fails even if it is “correct”.

A modified keyboard would be very inconvenient to an organization or individual, said Ravel Jabbour, Wes Masri and Ali El-Hajj computer scientists at the American University of Beirut, in Lebanon. They explained how previous attempts at KPA failed if the pressing of two keys overlaps. Early efforts also focus on “inter” timing, the time lag between pressing one key and the next, which is not adequate to ensure a password is usable only by the legitimate user.

The team instead has incorporated “intra” timing that measures how long each key remains depressed, which they say gives them the beat of the typing and is a much more robust parameter.

The program gathers information about how the user is typing in their password by recording the electronic signals from a standard keyboard as the user presses and releases keys. The program then compares the pattern of the password typed with a pre-stored pattern recorded when the account is initially setup. A user would then repeatedly type their password at the login registration stage to record a reproducible typing pattern. The validation algorithm then looks at the various parameters, intra and inter timing the relationships between two keys (digraph), three keys (trigraph) and up to the number of keys that are the password length.

Obviously, a longer password will provide a more complicated profile of the person’s typing and so reduce the risk of the typing of anyone else typing the password with the same timing pattern as the legitimate user. There is a trade-off, of course, too long a password and even a legitimate user is unlikely to reproduce their typing pattern accurately every time they enter the password. The system can also take password distribution into account by creating KPA groups for the same password for those users eager to share their passwords with friends and colleagues without impinging on the security of the system, the team said.

Leave a Reply

You must be logged in to post a comment.