Are "smart" passwords a reality yet?

Factual Questions
1

No cite for this, but I have a memory of reading an article several years ago – when the internet was starting to explode in popularity and people were just beginning to get worried about on-line security – that predicted “smart” passwords would eventually be the norm.

Instead of just a series of characters, these passwords would incorporate back-spacing, pauses, and/or rhythmic typing patterns to further thwart would-be hackers.

I haven’t heard of anything like this actually happening yet, but it’s an interesting idea. Is such a thing being developed or even used, maybe by government agencies or in technical or financial circles?

2

I think biometrics has gotten more interest over the years, as opposed to the “smart” passwords you mentioned.

I did hear some murmurs a couple weeks back about analyzing the “way” you type your password in, and then verifying that additional vector against the password itself, which was quite interesting.

3

Three-factor authentication (like SecurID) is widespread and a lot easier to implement, from a technical perspective. (And a lot less ambiguous – just how many microseconds between the third and fourth characters are allowed, and what’s the tolerance? God forbid you sneeze in the middle of typing your password; they’ll think you’re an angry hacker.)

4

Biometrics are pretty commonplace these days - many bloomberg subscribers will be familiar with what is both the hassle and the convenience of a b-unit.

I’ve seen quite a few online passwords that can’t just be typed in; for example my Pokerstars account has a conventional password, an RSA dongle (basically it changes numbers every minute and you type that in) and a 6 digit code which has to be input by clicking on numbers, which are in different places each time.

Seems to me that a ‘smart’ password which relies on rhythm would discriminate against those of us without any sense of that, while there is no real use in a backspace - it’s just another character.

One final thought: PGP and quite a few other things use mouse movements to help generate the seeds for their random number generators; thus it is pretty likely that if they’re random enough for that they’re also too random to be used for recognition.

5

Nitpick - SecurID is two factor authentication, something you know (the pin) and something you have (the token). Your userid isn’t considered to be part of the secret.
/nitpick

On my Android-based phone you can assign you own gestures used to unlock the phone. That’s the closest I know of to what the OP describes as a smart password.

I remember a science fiction story from years ago - some gang wanted to hack into the account of the CEO of some big corporation. They found a guy with some sort of super-empathy who could work out peoples passwords just by observing them for some time. The guy got the password right but the gang was still caught because the CEO was so paranoid he always put in a random wrong password first and the system was set up to look for this.

6

Plus, when you first set up a new account, you probably have to type your password a lot slower than once you’re used to it.

“Dogwalker”, by Orson Scott Card. It was actually the government’s systems they were hacking into, to get some super-high-clearance passports.

7

I’d be happy if more places just did conventional passwords well.

I set up an account once where the setup entry screen truncated my password (without bothering to mention this) but the login screen did not truncate.

Worked that out because the “recover forgotten password” function at least worked.

8

How smart it is can be debated, too. If I didn’t know my wife’s unlocking “password” anyway, it is clearly written down on the device in smudge marks!

9

Why not just use pass phrases? One colleague I knew used a line from the US Constitution. People have problems trying to remember siimple passwords without trying to remember where a backspace should be or that a “4” should be type 1 second later.

10

As a means of defeating a bot or program that makes rapid fire attempts to “guess” a password (say, 100,000 trials per second), I’ve often wondered why there isn’t a delay required between password attempts. Even a millisecond delay would thwart such attempts (by limiting them to a 1000 tries per second), yet would not be noticeable to a human.

I assume there’s a flaw to my logic but don’t know enough about computers and computer security to know what it is. Can anyone enlighten me, please.

11

Most password-protected systems do have some sort of delay built in, and many will put a 15-minute lock on the account after five incorrect guesses, or something along those lines. Brute-forcing a password is only really practical if you have direct access to the password file on the machine (in which case you can ignore the software’s rules for how to enter passwords), which usually means physical access.

12

Tip: keyboard patterns are easy to memorize, and hard to guess.

I really wish there was a universal means of using my RSA SecureID. Since I have one anyway, why do I need to manage 100’s of passwords with hundreds of different rules?

13

That’s cleverness, not paranoia. In the context of computer security, paranoia only begins when you jeopardize your own access to your own system. :slight_smile:

14

It’s not paranoia if they really are out to get you.

15

Hi Folks,

Wheelz, I think what you are recalling is a behavioral biometric tech commonly called “keyboard dynamics.” Wikipedia has a file on it as well as a list of 7 or 8 vendors who apparently market this technology, either as a single-factor authenticator, or as an element in a multi-factor authentication scheme, or as a factor used in a more complex “backroom” risk analysis that calculates the relative likelihood that the valid user is on the keyboard executing a particular transaction.

I recall that there were vendors (perhaps the same companies with different names) which offered versions of this tech back in the mid-1980s, but I suspect the algorithms they used then were not nearly as complex as those now used newer products. Unlike physical biometrics (like fingerprints, iris scans, or hand or facial geometry) behavioral biometrics offers not yea or nay, but a statistical probability that the habitual typing patterns of user X are those of valid user XY.

I, btw, loved the Angry Lurker’s complaint: “Seems to me that a ‘smart’ password which relies on rhythm would discriminate against those of us without any sense of that…” :smiley:

Keyboard dynamics is interesting, particularly as an element in a multi-layered risk assessment, but – despite the several commercial vendors Wikipedia listed – I’ve never run across it in the real world.

kferr nitpicked friedo when friedo referred to RSA’s SecurID as three-factor authentication. Although the classic SecurID implementation is indeed two-factor authentication – something known and something held – RSA has worked this space for a long time and today offers a very broad spectrum of SecurID hardware and software authentication options, at various costs, and with relative levels of robust security.

RSA, I believe, has only endorsed or licensed SecurID implementations with fingerprint biometrics – and only as a third factor of authentication, a complement to SecurID 2FA. (Lightning will strike me tomorrow if I overlooked some alternative biometric on RSA’s looooong list of SecurID partners.) There are, however, at least three vendors of fingerprint biometric readers for authentication which have integrated SecurID tech into their devices.

So, kferr, friedo was not completely wrong. Some SecurID implementations are indeed 3FA, although the classic 2FA mode is far more common. /end de-nit/

(For 3FA SecurID details, check out RSA’s documentation for the SecurID and Upek’s Secure Endpoint Solution, Prevaris’ plusID, and MXI Security’s “Remote Access”.)

I’ve been a consultant to RSA for decades, and my bias is overt, but if anyone has any specific questions, I’ll try to answer them. This is a great forum.