Password securityReplacing vulnerable password with secure keystroke biometrics

When U.S. presidential hopeful Hillary Clinton was found to have used a private e-mail server for government business as Secretary of State, there was a collective gasp of disbelief. That disbelief quickly turned into horror when it was later revealed that she did not even protect her office computer with a password.

These lapses in computer security can be seen as downright negligent, in a time when major data breaches and leaks dominate international headlines on a regular basis. But it also draws attention to a more compelling question: just how secure are text-based passwords, really?

Associate Professor Gao Debin, a security researcher from the Singapore Management University (SMU) School of Information Systems, believes that there should be alternatives to the ubiquitous, text-based user authentication method. “People tend to pick simple, easy-to-crack passwords, such as their date of birth or worse, ‘password’. These are not very secure, naturally leaving their computers and data vulnerable to the ‘bad guys’,” he says.

And this issue is a timely one. A recent massive data leak of 272.3 million e-mail passwords by Russian hackers, which included scores of Google, Yahoo, and Microsoft e-mail accounts, was made possible by preying on less secure third-party Web sites whose users had recycled their e-mail-password combinations.

Typing your way in
SMU says that to address the growing concern of text-based password vulnerabilities, researchers have developed new methods of user authentication, such as keystroke biometrics. Keystroke biometrics captures typing patterns and rhythms as a means of identification. This concept is based on previous studies that show typing patterns are unique to each individual, and cannot be easily imitated.

However, gatekeeping via keyboard biometrics is not foolproof, says Gao, as attackers may attempt to imitate the typing patterns of their victim. The potential for this to happen is an area that Gao is exploring in his research.

“Specifically, I work on attacks and defenses. I look into new attacking techniques that the attacker would use in order to exploit a particular application,” he says. “I also work on the defense mechanisms — how we can detect those attacks and stop them from happening.”

Crafty as they are, attackers can infer the typing patterns of their victims in several ways. One scenario is Google Instant, a Javascript application which can be reverse engineered to reveal this information. Gao and colleagues addressed this possibility in a conference proceedings paper, “Keystroke Timing Analysis of On-the-fly Web Apps,” for the