Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Tactile Passwords vs Shoulder Surfing 115

holy_calamity writes "Entering passwords using a tactile interface would remove two of the main vulnerabilities of using keyboards and alphanumeric passwords say UK researchers. They're using sequences of tactile icons on a VTPlayer tactile mouse instead. Shapes are displayed using the 16-pin tactile displays under the user's fore and middle fingers. As well as being almost impossible for anyone else to observe, tactile passwords can't be guessable in the same way as many conventional ones, they say. A video shows it all in action." Not that the video really helps explain it very well.
This discussion has been archived. No new comments can be posted.

Tactile Passwords vs Shoulder Surfing

Comments Filter:
  • being almost impossible for anyone else to observe
    Except for Superman...
  • by rs232 ( 849320 ) on Monday October 09, 2006 @08:34AM (#16362787)
    You don't need any special tactile mouse. The same could be achieved using a clickable image map showing a keypad with the numbers in random locations. You get a different map each time you enter the site. So keyloggers wouldn't be of any use.
    • by The Evil Couch ( 621105 ) on Monday October 09, 2006 @08:36AM (#16362805) Homepage
      However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry.
      • Re: (Score:3, Insightful)

        by rs232 ( 849320 )
        "However it would be clearly visible to anyone looking over your shoulder. Even more so that the tradition keyboard password entry."

        Actual pin is 1234

        Standard keypad layout ..


        The screen shows ..


        You click on 8473. The next time round it's a different keypad layout.
        • by Arimus ( 198136 )
          Why not replace the fixed labeled keys with keys with microscreens and change which key is which each and every time - then put a screen around the keyboard so that when you stand behind/next to someone the angle of view is such that you can not make out the legends... then knowing the pattern of keys is useless.
          • Re: (Score:3, Interesting)

            I worked for a company, now part of Honeywell, that made access control keypads that work exactly how you describe. It was a really good product, but for the life of me, I can't remember the name of it.
            • Hirsch makes these, I think they call them Scramble-Prox or something like that. You present your badge and then enter a PIN on a keypad that scrambles the layout after each user.
              • by rs232 ( 849320 )
                "You present your badge and then enter a PIN on a keypad that scrambles the layout after each user."

                Another good idea I should have patented ..
              • Thank you. Hirsch was one of our clients and the one for whom I worked. I even went there in 2001. They are nice folks with some neat products.

                Are you allowed senior moments when you are only 41?

                • I certainly hope so being 41 myself. If we're not then I'm going to blame it on all the brain cells that valiantly gave their lives so that I might drink in college.
                  • The problem is that I didn't drink all that much in college. I'm finding more and more that while my memory doesn't seem to be really decreasing, it takes me significantly longer to pull up names (especially of places or people) that I haven't thought of in a while. I also have the attention span of a gnat when it comes to appointments and other mundane details, but I can't blame that on age, as I've always been that way. I was late for my own birth.

              • by Fred_A ( 10934 )
                You present your badge and then enter a PIN on a keypad that scrambles the layout after each user.
                Much more simple would be using wheels driving the display of numbers ( a bit like on luggage) and a "validate PIN" button. The terminal could reset the values to something random (or to 0000 or whatever) as soon as the validate key has been pressed.

                That would make it very hard for an onlooker to read, especially with recessed displays.
            • Re: (Score:3, Interesting)

              by Peyna ( 14792 )
              The federal building I work in has these keypads on every secure door within the building. (Exterior doors have manned guards and RF card access for employees).

              Another nice feature is that the numbers that are randomly displayed in different places are only visible when viewed straight on; so the guy standing next to you might see where your fingers go, but he won't see what number was displayed on that key at that time.
              • by Peyna ( 14792 )
                ScrmablePad [hirschelectronics.com].
                • by Tordek ( 863609 )
                  Wow, you even scrambled the letters to show an example!
                  • These are great devices and are used in a lot of places around the U.S., including some of our major airports. I haven't been involved with Hirsch in over 4 years, but I always figured they'd be around for a long time. It's not particularly high-tech, but it's solid, flexible technology, which after all, is all anyone should really want.

          • Re: (Score:2, Insightful)

            Like an Optimus Keyboard [artlebedev.com]?
            I can't help but think that it would take too long to find each individual key. I suppose they could just display the numbers that are in your PIN and perhaps put them in the correct order so that it would be easier to find them.
            Why dont they ask for just 2 or 3 numbers from your PIN, like the way they do on online banking systems? Works well for me...
        • by Tim C ( 15259 )
          I'm shoulder-surfing you.

          Actual pin is 1234

          I don't know that.

          Standard keypad layout ..

          I know that.

          The screen shows ..


          I can see that.

          You click on 8473.

          I see that.

          The next time round it's a different keypad layout.

          But that doesn't matter, because the first time round I mapped 8473 to 1234 in my head as I watched you do it.

          This is security through obscurity; it relies on one or both of:

          1) me not realising that the keypad represents the "normal" numeric keypad, mixed up
          2) me not being able to perform
          • by rs232 ( 849320 )
            "This is security through obscurity"

            Well, yea, the method fails the logic test. Another poster mentioned a real keypad that scrambles the numbers. With a shield around the keypad then I would assume that shoulder-surfing wouldn't work.
            • Or you can use the low-tech method I use - I cover the keypad with the hand that isn't entering the PIN. Or, position yourself so that only your back is visible to the person behind you. Sometimes people give me strange looks, but screw it - I'd rather be paranoid and have money in my bank account than overly trusting and broke.
      • uh- no ING uses this for login, it looks like a keypad, but you the letters (more than one to a box) move around per login

        so you are presented with a grid of letters over nine boxes about three in each box. and you click your letters...
        asteriks appear in the box- what they represent, a shoulder surfer couldn't know.

        if my pinword is "spaghetti" then I click boxes to follow that word, next time- it'll be different boxes.
    • by chalkyj ( 927554 )
      The same could be achieved using a clickable image map showing a keypad with the numbers in random locations.

      TFA says that they're looking into using it for ATM machines. An image on an ATM machine would be considerably less secure than a keypad type device.
      • Re: (Score:2, Funny)

        using it on Automatic Teller Machine machines?

        good god it's brilliant!

        they could be connected via Network Interface Card cards!
        • Easy mistake to make though. "ASP page" is the correct use of the acronym ASP, even though it actually means "Active Server Pages page".
        • by Fred_A ( 10934 )
          Actually it only works on automatic ATM machines when you enter your personal PIN number.
    • Re: (Score:3, Insightful)

      by sxpert ( 139117 )
      that pretty dumbass comment doesn't take into account that some people are blind, thus can't see the pretty pictures on the stupid screen
      • by rs232 ( 849320 )
        "that pretty dumbass comment doesn't take into account that some people are blind", sxpert

        Ok, It was just a suggestion, the idea probably needs a little more work. How do the visually impared use the VTPlayer when they have to ..

        "a user moves the mouse over a grid of nine blank squares displayed on a computer screen"
      • not to mention the fact there's a new "keylogger" that grabs the small rea around the mouse pointer as it's moving on the screen and so can capture the relevant parts of the image to get the password...
      • While true, ATMs often have voice interfaces too if you have headphones handy.

        That pretty much cuts out shoulder surfing since the ATM can communicate with you and only you.

        One possible scheme would be that the ATM would tell you via a tone if the next character should be legit, or bogus. Bogus ones would be ignored, the legit ones would form your PIN. As long as the order and frequency of the legit vs bogus keys were sufficiently random, knowing the digits and order wouldn't make a difference.
    • Don't forget the blind people. They must be able to sense the '5' key. It's a requirement when designing a payment terminal.
    • by Spurion ( 412996 )
      Do you actually know your PIN? I just remember the shape of the key sequence I need to press - it's all in "muscle memory". I have to think quite hard to know what the actual numbers are so I'd be pretty much stuck with the interface you suggest :)
    • ...by malware.

      http://www.boingboing.net/2006/09/18/onscreen_bank site_ke.html [boingboing.net]

      "The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.

      The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when using the virtual keyboard, so that he gets the username and password
    • http://www.artlebedev.com/everything/optimus/ [artlebedev.com]
      Might be perfect for such a situation, with a firefox extension to change the keys.
    • My bank does something similar with their online banking. They put up a clickable image of a keyboard and make you key in your PIN/password by mouse. It is a complete PITA. Plus, it takes me much longer to mouse click it in that to punch it in on the keyboard, so it seems like it could be even more at risk of shoulder surfing.
    • ING Direct bank [ingdirect.com] does something like this for logins. There are a series of numbered icons in the same pattern every time, but they have a random map of letters assigned to them. You can click the icons or enter in the corresponding letter sequence if you are extra paranoid.

      1 2 3
      4 5 6
      7 8 9

      P G M
      R C W
      Q Y K

      Note these are together on the same icons.
      If my pin is "12345", I can click the icons with my mouse, or enter in "PGMRC" into a text box. You are not allowed to enter numbers in the
  • by badfish99 ( 826052 ) on Monday October 09, 2006 @08:37AM (#16362813)
    No wonder that the video does not help to explain it very well. TFA says "it is almost impossible for anyone else to observe"
    • This appears to work by giving tactile feedback when your mouse cursor touches one of the password elements (squares) so you click there and not elsewhere. At least, that's the simplest way I can imagine it would work.
      • by Kijori ( 897770 )
        That wouldn't work - that way anyone could do it! There is tactile feedback for every square - you have to identify the particular pattern of pins that represents each 'digit' of your PIN.
  • suffers a melt-down @ 8:35am EST on Monday morning.
    • I'm not so sure: YouTube has one of the biggest tubes of the whole internets, the clue's in the name.
    • by Speare ( 84249 )

      Oblig: YouTube is not like a truck you can just dump a bunch of video on.

      How do you figure that the demand on one boring nerdy video at 8:35am EST Monday is going to somehow be more than the demand for five thousand videos of a pair of mock-slutty half-drunk teen girls singing Britney songs in their kitchen, viewed at 8:35pm PST Thursday evening?

  • Er... (Score:3, Insightful)

    by tygerstripes ( 832644 ) on Monday October 09, 2006 @08:47AM (#16362885)
    Well... it is an interesting concept, and I like how they've made it work. Thing is, the problem is never the system, but the people using it. Shoulder-surfing shoudl be nigh-on impossible when the user touch-types at anything approaching a decent speed - it's the two-finger-jabbers who make it easy. The passwords themselves are only easy to guess because people are total gimps.

    Cool though this tech is, there is nothing so clever that fools can't render it worthless.

    • In the case of normal humans, I agree with you regarding shoulder surfing not being a horrible problem.

      However, with the arrival of smaller and smaller video recorders, this could indeed be a decent solution for those forced to use passwords at terminals in (more) public places.

      Though, the smaller entropy pool would likely become a problem if measures aren't taken to counter brute-force attacks...
      • There's an additional two things I do other than touch-typing to throw people off: I use Dvorak, and I (used to) have a five-second timeout on a password that takes me 2 and a half seconds to type. If someone got my password, they almost certainly couldn't type it fast enough.
        • Better hope you don't break a finger...
          • Given sufficient time alone, I could use bootloader tricks and such to gain access -- the timeout isn't absolute. But I dont do this anymore, and I've never broken a finger.
            • Sure -- I suspect most of us could hack our own configurations if we needed to -- Given physical access, unless you have strong encryption, it's always possible.

              However, if you did manage to break a finger (or even end up with an arm in a sling for a while) it would be a royal pain if you didn't have a backdoor.

              Personally, whenever coming up with an "inventive" password entry scheme, I always leave a second way in, a long complex password I memorize the way to reconstruct it, but never use, so it can't be o
              • I use 21-26 character passwords that I construct out of sentences for important stuff. Then I attach a meaningful string of numbers to the end of it to make it a stronger password. The length of the sentences makes it pretty difficult to use a dictionary and the rules of the language to narrow down what I'm typing, especially if I reference things that people who don't know me wouldn't understand. In my case, proper nouns make my password stronger. I use the sentences as mnemonics so I can reconstruct the p
    • I agree that it's mostly the people using the technology as opposed to the technoogy itself. Sometimes the environments aren't very well thought out, though.

      I always pay attention at ATMs and public terminals. I've noticed that 1) most people make absolutely no effort to hide their keystrokes and 2) most establishments make no effort to hide the little pad people use to enter their passwords or PIN. The absolute worst are those internet cafes that put people with their backs to a street-facing window so
    • We praise ourselves of being very fluffy clever, nevertheless we haven't squared a simple solution to the authentication problem.

      Or maybe there are no simple solutions, but people that are not familiar or comforatable with IT should not be denigrated for solutions that are clearly inadequate, difficult, or both.
      • I'm more of a user than a professional, and it still galls me what the IT support guys have to put up with (and what we have to put up with from them, but that's a different issue). The policy on passwords is clear: we're told how and why to keep our passwords secure and difficult to guess, and it's pretty much common sense anyway. It's easy to bleat that "fools will be fools", but that doesn't mean they don't deserve berating for their own stupidity. They're the first to moo when things go south, and they
    • by slocan ( 769303 )
      Maybe developing a new password input device is easier done, than changing people's habits.
  • by AnimeDTA ( 963237 ) on Monday October 09, 2006 @08:50AM (#16362901)
    Being bored at work, I took up using the Dvorak keyboard layout. My passwords however retain the same unconcious keyboard patterns as they did on a standard keyboard. Without even thinking of what my password is I can type it. For a while I didn't even know my own passwords were... this proved to be a problem when i had to check email and wasn't at my computer. But it definately ends the shoulder surfing for passwords.

    I ended up typing my passwords a few times in notepad and memorized the gibberish that is my password now. Other than that I'd have to be trying to know what my fingers are pressing when i go into password mode.
    • Re: (Score:3, Insightful)

      What you just have one password? One password for all your accounts? The same password for the accounts in your work, for your accounts with your bank and brokerage account, and for the web mail and for the rarely visited "registration required" sites? That is insane.

      My personal password policy: I have four kinds of passwords. The highest and most secure ones are for the work accounts and my financial institutions. The next ones are for the web merchants who know my mailing address and credit card numbers

      • Given all the references to "passwords" in the GP, I'd take it that he is also using multiple passwords.
      • This, more than anything, shows the failure of passwords. Few people are willing or able to memorize numerous passwords. That's why I don't use them for anything that needs to be really secure. I have a bank password (and PIN), but that's about it. My E-TRADE account uses a cryptographic-RNG-based system and I use key-based authentication for SSH.
  • 16 mechanical pins, that is 16 bits of information, two bytes, typically equialent to two ASCII characters. Most passwords are required to be at least five characters. Add to that the fact that many pin-combinations are not useable because they are hard to distinguish, I would guess that amounts to maybe a few hundred usefull passwords. Not so secure then is it?
    • The 16 mechanical pins are used to create the braille characters, you don't poke them down individually to creat you password. Check out the video or the article, they help. On another note, i think that something like this is a major advantage in defending against password theft through video recording as most of the action is happening under your fingers and is therefore impossible to intercept.
      • you are right, but this only makes it worse! The article mentions nine blank squares on a screen from which to choose. That means if I steal someone's ATM card, and if I get three chances (as is the case now with typing a PIN code) to guess the right square, that means I have 33% chance to hit the jackpot!

        Obviously, having more squares reduces the chance of succesfully guessing the password, but scanning lots of squares with a tactile mouse will take for ever.

        The best solution I can think of is to have only
        • From TFA:

          The sequence of tactons and squares is randomised each time

          So for each try you always have 1/9 chance to hit the jackpot, no matter how many times you try.

          With this system, the number which you should compare to the 8 bits character for traditional passwords would be the number of tactile patterns your finger is able to recognise (at least as many as braille characters ?) This number would then be multiplied by the number of patterns you have to recognise (4 in their experimental set-up).

        • I think the idea was that you are inputting a password (the normal 5+ characters) except that you can't see what you're inputting, you can only feel it. You password could still be 1-2-3-4-5, which means you float your mouse over the nine boxes looking for the one that causes only one bump to pop up on your mouse. You click that box. Then you do the same for the next number, and so on, and so forth.

          I must say, however, that this will be quite time consuming. I'm not sure if the boxes reset after every

  • This obviously won't work for someone without the use of both hands, or who has the feeling removed from their hands (a stranger?). However the biggest problem I would see is for the everyday person who may not be able to tell enough of a difference between each touch thingy to be able to enter their touchcode reliably a majority of the time. Though I suppose we'd learn if we had to, it just seems that the main reason why the blind get really good at reading braille is because they don't have a choice, no
  • This device is a very nice and tender approach to a problem.

    Sort of like killing a fly with a bulldozer.
  • Anyone else see a conflict between those two statements:

    ...being almost impossible for anyone else to observe..... ...A video shows it all in action...

    I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.

    That could make it hard to quickly enter a password even if you know it.


    The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password

    • Re: (Score:2, Insightful)

      by mxolisi06 ( 1009567 )

      I suppose the solution to this paradox is that the tactile mouse will display pointer only during tests, and in actual situations nothing will be observable.

      In actual situations, as the name "tactile" suggests, the user's fingers will lay on the pads, so nothing will be observable.

      The biggest flaw of this method is that it does nothing for keyloggers. Yea, maybe if your boss wants to know your password by peaking over your shoulder, it'll help. It won't help to protect you from your competitor or a bla

  • This will sound crazy. But, I recently saw a review for a keyboard that had little organic LCDs for each key. Now, I'm not saying thats a good idea, infact, it sounds like a huge waste of energy. However, you could do what other people are suggesting, and that is change the key map each time, and have those little screen personal protector things on it. I forget what they're called, but you can buy them for your PC, and laptop, monitor, and it will reduce the viewing angle to the person sitting immediately
  • ... no one has thought of the lepers.
  • My Solution (Score:3, Funny)

    by thorkyl ( 739500 ) on Monday October 09, 2006 @09:29AM (#16363245)
    Let's just put small DNA testers on each PC.

    Then all you have to do is stick something in the hole to donate a blood sample.

    Stupid people breeding has lead us to the current government
  • by john-da-luthrun ( 876866 ) on Monday October 09, 2006 @09:34AM (#16363305)
    I dread to think what the "tactile" password for a pr0n site would be like...
  • Easier solution (Score:4, Interesting)

    by 3Suns ( 250606 ) on Monday October 09, 2006 @09:38AM (#16363357) Homepage
    I've always made sure that my passwords contain a string of easily-typable letters consisting primarily of alternating-hand homerow keys, to complement the numbers, punctuation, and capitalization elsewhere in the password. Since you can tap out those letters so quickly without moving your hands around dramatically, it makes it much more difficult for anyone to eyeball your password.

    I've seen countless stories about dedicated password-entry hardware, but none of them (with the minor example of insecure fingerprint scanners) have made an impression. Purpose-dedicated hardware rarely does.
    • Re: (Score:2, Funny)

      You sir are correct, this is the way to go when creating a password.

      Me, I have yet another layer of protection : my keyboard is labelled in standard French Azerty, but I use a french Dvorak layout (I have no need to change the labels since Dvorak layouts are designed for touchtyping).

      It's very funny when the co-workers try typing stuff with my keyboard :) For example, this is "Hello, World!" typed as if my keyboard was Azerty :

      Cpnnlq Àloniw

      (funnily enough, that's also "Hello, World" in Gaelic.

  • Won't these types of access codes be even harder to remember?
    Imagine these at a job where you're forced to change codes regularly.
    • by pyhack ( 988967 )
      Agreed. And how many passwords (or even ATM pins) do people typically have? OK, I'd use it for entry to my secret underground lair - but YouTube, Google, Amazon, Travelocity, Ticketmaster, etc will have to stick with qwerty/numpad for now.

      Oh, I shouldn't said that!

  • by aix tom ( 902140 )

    > On average, the volunteers took 38 seconds to log on

    So now I need about 4 to 5 seconds to log on. (Just tested it)

    Considering that the system needs a special mouse and a special login interface, too, why not get a mouse with a finger print reader and use that login interface?

    I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

    • I would also imagine Joe User will be trained faster to "put your finger there, dude", then to feel and remember the tactile pattern.

      Won't work. The whole point, I think, is that the grid changes, but the code stays the same. Therefore, you can only tell where the "key" is by touching it. This is also why it's immune to shoulder surfing.

  • I'd say a lot of office users use the same password all over the place (although they shouldn't). IBM's finger print reader on the notebooks gets rid of the shoulder surfing password issue to some degree. This helps reduce casual password 'lifting' I'm sure. Does the fingerprint reader count as a tactile interface?
  • Got rhythm? (Score:4, Funny)

    by bromoseltzer ( 23292 ) on Monday October 09, 2006 @10:09AM (#16363661) Homepage Journal
    As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.
    • by smithmc ( 451373 )

        As a radio amateur (old school, 20 words per minute Morse), I would be very happy to key in my password entirely on the "J" key.

      But then every Rush fan in the world would have the same password: -.-- -.-- --..

  • Why not make authentication systems three factor: something you have - the card, something you know - the pin, and what you are - biometric -finger print. With the false +ve/-ve rates you can't rely on finger print readers alone but combined with the other two factors you can make a secure system which even if I give you my pin is no use.

    Make sure though the fingerprint key is not stored on the card ;).
  • Type this in a term: *
    ps -A |md5sum

    This will ALWAYS give you a different result, and it is not reproducable/predictable.

    *Windows users need not apply

    Now, to 'remember' is a different story. I'll let you figure out your own method.
  • Interesting idea, but as implemented, you'd need a password that is rather long. For each tacton, you are choosing 1 of 9. That's 3.17 bits. You'll need a pretty long sequence to get decent password strength out of that.

    When memorizing a password, I think length is more important than the number of possible symbols at each position, when it comes to difficulty of memorizing. Memorizing 10 decimal digits is easier than memorizing 32 bits, for example.

  • by obtuse ( 79208 ) on Monday October 09, 2006 @12:31PM (#16365525) Journal
    I used to support Point of Sale systems at a local sporting goods chain, and often would be at the store working with the manager hanging around learning what they could (always appreciated.) I had a great boss, and she gave me a graceful technique for avoiding shoulder surfing in that situation. You have to be able to touch type your passwords.

    Talk to the person, and look them in the eye while you type your password.

    Not gonna work for all situations (ATM Pin) but incredibly effective where there is only one person who really presents a risk, and really, how often are you working in a crowd?

    OK, Classrooms just suck, so you have to rely on flying fingers sometimes, but I did find it to be useful when "that kid" was hanging around the same way. "That kid" could be a proto-geek, or a hacker wannabe, but I always did what I could to educate and make conversation. Hey, you're interested? Cool! Kids (even teens) respond really well to being treated like people. And, the conversation made it easy to type my password without _him_ seeing it. No need to tempt 'em.
  • Can't somebody just make a pane that is transparent to someone standing on front of the keyboard, but not visible to anyone outside of a very small viewing angle? For example: a thick mesh it visible only from straight-on. From other angles you see the sides of the mesh.
    • What you describe has been done, but why not just rely on touch-typing and make it impossible for ANYONE to see the keyboard?
  • We need laser beams that can find prying eyes and burn them out of the owners skull. That would put a stop to it.

    BTW: If anyone finds such a technology let me know. I need this for what I'm surfing slashdot at work too.

To do two things at once is to do neither. -- Publilius Syrus