zlacker

I guess more reason to just use a password manager to autofill your password?

>>yowzad+(OP)
Or just use 2fa

>>kypro+21
If you have 2FA and one part of it is easily figured out, then you have one factor authentication.

If you cared enough about the authentication in the first place to bother with 2FA, then I guess it seems like the reduction there is still something to be worried about, right?

Lots of “two factor authentication” schemes seem to involve just getting a text or something, so, not very secure at all. Of course, this is bad 2FA, but it is popular.

>>bee_ri+y2
Perfect is the enemy of good. Text based 2FA is compromisable relatively easily but at least it's an extra hurdle.

>>yowzad+(OP)
Only if it doesn't only rely on a master password

>>jgtros+E8
A nice thing about master passwords though is that since you don't have to type them in as often, they can be very long. 95% accuracy probably isn't good enough to reliably reproduce a sentence-length master password, at least if it's only captured once.

>>gleenn+f4
It's the "or just" being the issue there, not the "use 2fa".

>>apendl+2b
95% means that on average only 1 in 20 keystroke will be wrong. Even if your password is very long (40-60) that means only 2-3 errors. Since more people are not machines their long password will be a combination of words like the famous "horsestaplebatterycorrect" example from xkcd.

Even if you flip a few letters from something like the above a human attacker will easily be able to fix it manually.

"horswstaplevatterucorrect" for example is still intelligible.

>>belval+Ef
On average 2-3 errors. However the real thing we want to look at is what is my chance of guessing right across ALL characters. For 1 it's 95%, for 2 it's 90.2%, and it gets worse from there. The formula for accuracy would be .95^c where c is the number of characters in the password. So the chance of getting EVERY key correct in a 40 character password is < 13% and < 5% for 60 characters.

>>apendl+2b
The master password is also offline and require the key file to u lock the rest of the passwords. So by itself it’s not enough to compromise the accounts in the key file. The attacker would need the key file as well.

>>jgtros+E8
Doesn't everybody not require only a password?

Offline you need the database which isn't public.

Online you usually need something else on new machines to get at the true master password.

>>TheCle+Hg
Right. The comment above is saying even if you are incorrect in 2-5 keystrokes it’s not hard to guess the correct keystrokes if you’re using a sentence style password.

You don’t need to guess every character.

>>TheCle+Hg
that's pretty high when you can use a computer to run the guesses

>>apendl+2b
95% accuracy means for each stroke, the most likely key is the top choice. Most models return a probability distribution per key, and it's very like the other keys are in the top 2 or 3.

Then you simply have the password cracker start trying passwords ordered by probability, and I bet it breaks your sentence within very few tries.

>>jgtros+E8
Don't type your master password on zoom calls

>>kypro+21
Now that I know about the existence of this generation of acoustic attacks I would like to have the possibility to insert a second "master password" different from the main one, that instead of letting me directly access to my passwords just allows me to use fingerprint to get them. Guess if it's already possible

>>lamont+Rq
Or use your fingerprint

>>TheCle+Hg
What if the password is typed twice? You can easely figure it out then.

>>jgtros+E8
[insert yubikey plug]

I don't use one but I know people who swear by them.

Also this is an extremely obvious result. Typing is obviously a form of "penmanship", it was well known that telegraph operators could identify each other by how they tapped out Morse code in the 1800s.

People have been able to do this based upon key stroke latency and even identify people based on habitual mouse patterns for decades.

Audio recordings work as yet another reliable proxy? Shocked!!

I am amazed that people can do such obvious things and get published, have articles written on them... I need to get in on that, sounds easy

I can make a web demo. You turn on the microphone type a couple things into a box on the web browser.

Then you go to a different window and continue typing and then the model predicts What you are typing. As long as it's proper grammar you can get to effectively 100% accuracy. It'll appear to be spooky magic.

I just might take the time.

>>jgtros+E8
What actually are you going to do if you spy on my zoom call and learn my master password is bigjarofpickles?

>>kristo+wK
You sound confident enough that'd I'd like to see you show that off :P.

>>teduna+dM
Hacker: tedunangst, what’s your email? Wanna invite you to that thing!

Hacker: man, I hate typing passwords. Do you use password managers? Any reccos?

… I am become hacker, destroyer of tedunangst’s bank account.

>>jerome+ey
why is that ?

>>apendl+2b
>a sentence-length master password

Ij on-tep of sentenca lentg, it's alio sentemce-bused ("corvect harse batterg stapfe") then ut would be quiti eady to guess even wits worse accurasy.

(If on-top of sentence lenth, it's also sentence-based ("correct horse battery staple") then it would be quite easy to guess even with worse accuracy.)

>>Sai_+iO
1Password requires an extra key upon the first login that you never have to type afterwards. So, have fun trying to log in to that password manager, even if you have the master password.

Also, you can also use and require a hardware FIDO2 token as second factor.

>>worthl+NS
1Password allows unlocking with a fingerprint (Touch ID) or Apple Watch, at least on a Mac. So you can unlock your password manager during a Zoom call, and nobody can snoop your master password.

(With 1Password, the master password is not enough to do a remote account takeover, you also need the second-factor key. And you can't snoop it, since it is only required during the first login, so a user will never type it after that.)

>>coldte+3U
potential solution: keep a few intentional typos in your passphrases. It also makes dictionary attacks much harder.

>>mercer+1N
sounds like a good exercise although it'll literally just be for my own personal amusement. Nobody actually cares about this unless you've got some institutional clout which I do not. Praise for the PhD would be ridicule for you and me.

But really, should be fun ... the laptop dock mic will be great for this. If it's external you're in trouble ... but the researchers just used the onboard so it'll be fine.

>>Gh0stR+HW
now you have to remember the the typos

>>bee_ri+y2
which is the point of 2fa – when the 1st factor fails the 2nd holds

>>GhostW+ha1
Plus, if they can tell what the actual words would be, then brute forcing the typos is trivial