I read about this in the Silence on the Wire by Michal Zalewski. And you don't need a fullblown AI, a good statistical model is enough to make a guess on passwords, and if you have a bunch of probabilities to cut down your search space to a more probable set. And the book is from 2005, so I wouldn't say it is new. https://nostarch.com/silence.htm
I even remember reading about how Clifford Stoll recognized the different attackers by "typing rhythm" in Cuckoo's Egg.
This is why I use a separate keyboard to type in my password. If you don’t have a dedicated keyboard, then I suggest you have a loved one come over to enter your passwords for you. Sometimes I have my kid do it
I would love to understand the joke behind this. My sarcasm level is not to this level to understand this one. Any references that I can read to catch up?
What about a virtual keyboard on the screen? What if we have our custom-built virtual keyboard with random arrangements of keys every time I want to type a Password?
And just today there is a post about the Sneakers Movie Promotional Floppy!
Now, from memory I’m pretty sure there is a scene where the visually impaired / blind Hacker can work out the password by listening to the audio on the surveillance tape!
I’m probably mangling my memory of the scene, so please correct me! :-)
Biometric to unlock phone, PIN to load 2FA auth app, and a password to actually login.
Actually, I am reminded of the 00s when companies used to have badges and badge readers you'd take home and plugin to your machine and you had to use those to authenticate connections.
Password + physical token. It was secure, but not convenient if you left your badge behind somewhere.
It wasn't wireless, no worries about snooping.
When it did work, it was magic. My Active Directory credentials automatically carried over between machines, across networks, for debugging purposes to dev boxes, and I was even able to step from C# code running locally into a stored procedures on a remove SQL server all from within (the OG) Visual Studio.
Nothing works anything near that well anymore. :(
(Show of hands, who here reading this can start debugging their staging environment databases from within their IDE, with a single button press?)
2FA is password (something you know) and device (something that you have). You have to enter the password to use 2FA.
Are you thinking of password manager? Most password managers involve entering the master password. Some can open with fingerprint but need to use the password occasionally.
Are you thinking about passkeys? Those aren’t 2FA.
JanneVee|2 years ago
I even remember reading about how Clifford Stoll recognized the different attackers by "typing rhythm" in Cuckoo's Egg.
hprotagonist|2 years ago
https://en.wikipedia.org/wiki/Keystroke_dynamics
flir|2 years ago
nocsi|2 years ago
undersuit|2 years ago
Brajeshwar|2 years ago
What about a virtual keyboard on the screen? What if we have our custom-built virtual keyboard with random arrangements of keys every time I want to type a Password?
belter|2 years ago
2016 - "Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP" - https://arxiv.org/abs/1609.09359
2020 - "Behavioral Acoustic Emanations: Attack and Verification of PIN Entry Using Keypress Sounds" - https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7309150/
Maybe they mean this one...
2023 - "A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards" - https://arxiv.org/abs/2308.01074
unknown|2 years ago
[deleted]
firecall|2 years ago
Now, from memory I’m pretty sure there is a scene where the visually impaired / blind Hacker can work out the password by listening to the audio on the surveillance tape!
I’m probably mangling my memory of the scene, so please correct me! :-)
https://news.ycombinator.com/item?id=38585213
sublinear|2 years ago
thot_experiment|2 years ago
Freedom2|2 years ago
rvz|2 years ago
Job done.
Erratic6576|2 years ago
com2kid|2 years ago
Biometric to unlock phone, PIN to load 2FA auth app, and a password to actually login.
Actually, I am reminded of the 00s when companies used to have badges and badge readers you'd take home and plugin to your machine and you had to use those to authenticate connections.
Password + physical token. It was secure, but not convenient if you left your badge behind somewhere.
It wasn't wireless, no worries about snooping.
When it did work, it was magic. My Active Directory credentials automatically carried over between machines, across networks, for debugging purposes to dev boxes, and I was even able to step from C# code running locally into a stored procedures on a remove SQL server all from within (the OG) Visual Studio.
Nothing works anything near that well anymore. :(
(Show of hands, who here reading this can start debugging their staging environment databases from within their IDE, with a single button press?)
ianburrell|2 years ago
Are you thinking of password manager? Most password managers involve entering the master password. Some can open with fingerprint but need to use the password occasionally.
Are you thinking about passkeys? Those aren’t 2FA.
thot_experiment|2 years ago