Hacker News new | ask | show | jobs
by noufalibrahim 1393 days ago
A relevant anecdote. During my younger more adventurous years. We used to try to peek over admins shoulders to figure out passwords for root. Not to do anything malicious but just as a act of geeky bravado. Naturally, they got savvy and prevented us from doing this.

The keyboards in the lab were heavily used and was noisy. The space bar, because of its shape, sounded distinctly different from the other keys. I stayed away from the admins when they entered the password like a decent citizen but listened in and found that the password was 7 characters long and also that the second and sixth characters were space (thanks to the different sound of the key). So .˽...˽.

I brute forced this using a shell script (since I has just learned how to write shell script), ran it overnight, and got in the next day.

So yes, I think there might, atleast in theory, be good reasons to avoid certain characters in a password.
2 comments
chrismorgan 1393 days ago
The space bar is just a big obvious form of audio attack that even humans can do with no tools or training, but really, if an attacker can hear you typing the password, it’s very heavily at risk. You can infer much more purely from the sound about the positioning of the hand and likely finger movements: in timing, most simply, but also in how sound bounces differently from different parts of the keyboard depending on what else is around (including the hands), and more. Practical attacks of this kind have been demonstrated.

It is thus a security Best Practice for streamers and the likes to mute their microphones while typing passwords.

Really, all senses leak information like this. Wifi signals are enough to see round corners and steal passwords. Even wearing a sleeveless shirt and having your upper arms visible to a camera leaks a little information from the small arm and theoretically even muscle movements.

link
joshenders 1393 days ago
There’s a paper about this and a demo site that can accurately derive your password based on a short training period and audio recording. They used distance between key presses and sounds of each key for their specialized acoustical analysis.
link
noufalibrahim 1393 days ago
Reminds me of Van Eck phreaking and the description of that in Neal Stephenson's Cryptonomicon.
link