Thermal Images Could Reveal Passwords

John Lister's picture

Researchers say a thermal imaging camera could help crack passwords. It's not exactly a looming threat for the average user, though the study does reinforce the important of longer passwords.

The research from the University of Glasgow appears to have been inspired by noticing that thermal-imaging cameras are becoming more affordable (less than $220 in some cases) and wondering how they could combine with machine learning. The researchers say they same idea may have struck would-be criminals, so it was worth trying to get one step ahead of them. (Source: zdnet.com)

The project followed a basic principle: a finger pressing a computer key slightly raises its temperature and this increase fades over time. The idea is that a thermal image could give enough information to try to figure out the order of recent keystrokes.

Password Analysis

According to the researchers, the machine learning then kicks in in several ways. It automatically "reads" the heat signal and puts together a range of possible key sequences to cover any ambiguity. It then compares these with known patterns and characteristics of passwords people use and tries to figure out the most likely sequences and thus the possible password.

The system also uses known characteristics to try to figure out where in a sequence the user stopped typing a username and began typing the password.

The study showed that in principle the approach works, but with the major restriction that it needs to be used quickly after the typing. The researchers say the success rate was 86 percent if the image was taken within 20 seconds, falling to 62 percent after a minute. (Source: acm.org)

That means attackers would have to take the image almost immediately after somebody typed in a password (and before they typed anything else), which would presumably involve either a mugging or a hidden camera. Either way, that suggests it would only be useful for a targeted attack, or perhaps for capturing PIN codes on ATMs or security gates.

Faster Typists Safer

The researchers also found that results varied significantly depending on how quickly the user typed (faster typing meant less certainty in "reading" the image) and the specific type of plastic used on the keyboard.

The biggest variant was password length, however. With the images taken within 20 seconds, the system guessed six-character passwords every time, falling to a two-thirds success rate for 16 characters.

That's a useful reminder, as longer passwords are exponentially more difficult for hackers to breach. While the researchers didn't test this, it's also highly likely even this unconventional technique would be more effective against passwords made up of a single word found in the dictionary than a random or random-seeming string of characters.

What's Your Opinion?

Should we fear such an attack being used for real? Are there any lessons to learn from this research? Do you intentionally use long passwords to boost security?

Rate this article: 
Average: 4.2 (5 votes)

Comments

buzzallnight's picture

point it at the screen

duh!

Chief's picture

Who cares?
You can easily defeat this scheme simply by dduupplliiccaatingg or ddoouubblliinngg keys randomly as part of your password.

The camera may record the heat decay of each key after use, but the reader (AI or human) cannot possibly determine which key was pressed twice or thrice in succession, or if I simply hesitated before moving on to the subsequent key.

If I were going to steal passwords, I would use the old, tried and true low tech methods.

Just because it's big, bad, glitzy, high-tech, and plays well on Mission Impossible doesn't mean it's any good in the real world.

That said, thanks for the article, as it does provide me a valid reason to use duplicate key strokes, assuming I bother to type my passwords at all...