Silkenweb Example: Hackernews Clone

Scary AI recognizes passwords by the sound of your typing

34 points by grammers 1 year ago | 26 comments

JanneVee 1 year ago
I read about this in the Silence on the Wire by Michal Zalewski. And you don't need a fullblown AI, a good statistical model is enough to make a guess on passwords, and if you have a bunch of probabilities to cut down your search space to a more probable set. And the book is from 2005, so I wouldn't say it is new. https://nostarch.com/silence.htm
I even remember reading about how Clifford Stoll recognized the different attackers by "typing rhythm" in Cuckoo's Egg.
- hprotagonist 1 year ago
  “fist recognition” is at least as old as morse code.
  https://en.wikipedia.org/wiki/Keystroke_dynamics
- flir 1 year ago
  Earliest reference I know is to a TLA bugging plaintext teletype printers in The Hacker's Handbook, Hugo Cornwall, 1985.
nocsi 1 year ago
This is why I use a separate keyboard to type in my password. If you don’t have a dedicated keyboard, then I suggest you have a loved one come over to enter your passwords for you. Sometimes I have my kid do it
- undersuit 1 year ago
  Just randomly change the weight of your switches on your custom mechanical keyboard every 10000 keystrokes to keep the AI guessing.
  - mplewis 1 year ago
    I type each key on a different keyboard. But the AI has started to guess the order of the keyboards that I use.
- Brajeshwar 1 year ago
  I would love to understand the joke behind this. My sarcasm level is not to this level to understand this one. Any references that I can read to catch up?
  What about a virtual keyboard on the screen? What if we have our custom-built virtual keyboard with random arrangements of keys every time I want to type a Password?
belter 1 year ago
No details about what specific study they are referring to. These attacks are possible for several years now.
2016 - "Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP" - https://arxiv.org/abs/1609.09359
2020 - "Behavioral Acoustic Emanations: Attack and Verification of PIN Entry Using Keypress Sounds" - https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7309150/
Maybe they mean this one...
2023 - "A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards" - https://arxiv.org/abs/2308.01074
1 year ago
firecall 1 year ago
And just today there is a post about the Sneakers Movie Promotional Floppy!
Now, from memory I’m pretty sure there is a scene where the visually impaired / blind Hacker can work out the password by listening to the audio on the surveillance tape!
I’m probably mangling my memory of the scene, so please correct me! :-)
https://news.ycombinator.com/item?id=38585213
sublinear 1 year ago
Wasn't it on-screen keyboards that were the mitigation against keyloggers way back in the day?
thot_experiment 1 year ago
Does anyone know what the SotA foss local demo of something like this is? I'd really like to try and understand first hand what the limitations are.
Freedom2 1 year ago
This is why I don't type and dictate my passwords using voice. Never been broken into once!
rvz 1 year ago
Just use a passkey or U2F device. No password at all.
Job done.
Erratic6576 1 year ago
Don’t type passwords. Use 2FA whenever possible
- com2kid 1 year ago
  Do both.
  Biometric to unlock phone, PIN to load 2FA auth app, and a password to actually login.
  Actually, I am reminded of the 00s when companies used to have badges and badge readers you'd take home and plugin to your machine and you had to use those to authenticate connections.
  Password + physical token. It was secure, but not convenient if you left your badge behind somewhere.
  It wasn't wireless, no worries about snooping.
  When it did work, it was magic. My Active Directory credentials automatically carried over between machines, across networks, for debugging purposes to dev boxes, and I was even able to step from C# code running locally into a stored procedures on a remove SQL server all from within (the OG) Visual Studio.
  Nothing works anything near that well anymore. :(
  (Show of hands, who here reading this can start debugging their staging environment databases from within their IDE, with a single button press?)
- ianburrell 1 year ago
  2FA is password (something you know) and device (something that you have). You have to enter the password to use 2FA.
  Are you thinking of password manager? Most password managers involve entering the master password. Some can open with fingerprint but need to use the password occasionally.
  Are you thinking about passkeys? Those aren’t 2FA.
  - LightHugger 1 year ago
    I suspect he's thinking of just straight up using an authenticator instead of a password, which i should remind people is 1FA.
    - Erratic6576 1 year ago
      I was thinking Password manager + TOTP or yubikey.
      Of course it does also have downsides. I don’t store all my passwords there.
- thot_experiment 1 year ago
  No thanks, I'd rather keep my secrets unbound from any physical object.
  - dharmab 1 year ago
    My 2FA OTPs are synced by 1Password which I can access from any of my devices; you can set up something similar with FOSS if you want full control. Authenticating to 1Password requires both a master password and a secret key; they have a feature called "Emergency Kit" for creating offline backups of the key (https://support.1password.com/emergency-kit/)
    - thot_experiment 1 year ago
      Using a password manager introduces a single point of failure. My biometrics are leaked every time I post a selfie or a picture of myself holding something. The idea of something like an "emergency kit" being extant for something I care about makes my skin crawl. They say you should put it in you cloud storage!!! What the actual fuck. The only points of vulnerability in the chain for the things I have passwords on is keylogging or a system breach on the provider side. I can rest easy that until I have my brain chip I'll lose at most one thing at a time. There is zero chance of a massive failure, and there's a very low chance that I'll lose access because some part of the chain is missing, and my vulnerability surface is much lower than if my passwords existed anywhere outside my brain.
      In any case, I'm far far more worried about not being able to log into something because there's too much security than I am worried about someone accessing my things when they shouldn't. The former has cost me many more productive minutes than the latter.
  - airstrike 1 year ago
    Your password can still be a secret unbound from any physical object. This is just a second layer, so I don't really see the downside
    EDIT: I guess you're right in that the parent was suggesting NOT typing passwords and sort of equating that to 2FA. so yeah, I like to keep one password in my head only (for sensitive stuff) and use a second factor if possible
    - thot_experiment 1 year ago
      The second layer is the downside, it makes it annoying to log into stuff. Even using SSH keys is awful. The UX of being able to log into things from wherever on whatever device because you remember your password is unparalleled. Yeah you have to worry about being keylogged which like, sure, it's a worry, but I've spent a lot more of my life being annoyed that I couldn't log into something because I didn't have the SSH key on that machine or trying to find my stupid yubikey etc than I have dealing with the afermath of having something hacked.
      (which to my knowledge only happened once when I set the root password on my VPS to 'toor' before i knew about internet background hacking radiation, and sure maybe i'm compromised right now, but it's absolutely not affecting my day to day life so i'm not gonna worry about it)
  - Erratic6576 1 year ago
    Certain crucial passwords can be kept in the memory. There are thousands of menial logins though and a password manager might be more reliable than the memory