TY - GEN
T1 - User Perceptions of Defensive Techniques against Keystroke Timing Attacks during Password Entry
AU - Griswold-Steiner, Isaac
AU - Diarrassouba, N'Godjigui
AU - Arangath, Shreyesh
AU - Serwadda, Abdul
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/5/8
Y1 - 2021/5/8
N2 - To protect the password from visual attacks, most password entry screens use a password masking scheme that displays a series of placeholder characters (e.g., dots and asterisks) instead of the actual password. Recent research has however shown the security provided by this form of password masking to be weak against keystroke timing-analytics attacks. The underlying idea behind these attacks is that, even when a password is masked as described above, the timing between consecutive placeholder characters gives away information about the password since the relative locations of characters on the keyboard dictate how fast fingers move between them. In this paper we argue that, for security-sensitive applications, password masking mechanisms ought to hide the true intervals between password characters in order to overcome these kinds of attacks. Making adjustments to these timings however has the potential to pose usability issues given the fact that the typing would not perfectly align with the display of typed content. The paper proposes 3 different password masking schemes and undertakes a usability evaluation on them. Our early results suggest that user receptiveness to two of the schemes is not much worse than that seen with the conventional (insecure) scheme.
AB - To protect the password from visual attacks, most password entry screens use a password masking scheme that displays a series of placeholder characters (e.g., dots and asterisks) instead of the actual password. Recent research has however shown the security provided by this form of password masking to be weak against keystroke timing-analytics attacks. The underlying idea behind these attacks is that, even when a password is masked as described above, the timing between consecutive placeholder characters gives away information about the password since the relative locations of characters on the keyboard dictate how fast fingers move between them. In this paper we argue that, for security-sensitive applications, password masking mechanisms ought to hide the true intervals between password characters in order to overcome these kinds of attacks. Making adjustments to these timings however has the potential to pose usability issues given the fact that the typing would not perfectly align with the display of typed content. The paper proposes 3 different password masking schemes and undertakes a usability evaluation on them. Our early results suggest that user receptiveness to two of the schemes is not much worse than that seen with the conventional (insecure) scheme.
KW - Password security
KW - keystroke timing attacks
KW - password usability
KW - shoulder surfing
UR - http://www.scopus.com/inward/record.url?scp=85105782810&partnerID=8YFLogxK
U2 - 10.1145/3411763.3451667
DO - 10.1145/3411763.3451667
M3 - Conference contribution
AN - SCOPUS:85105782810
T3 - Conference on Human Factors in Computing Systems - Proceedings
BT - Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems, CHI EA 2021
PB - Association for Computing Machinery
T2 - 2021 CHI Conference on Human Factors in Computing Systems: Making Waves, Combining Strengths, CHI EA 2021
Y2 - 8 May 2021 through 13 May 2021
ER -