Comment by bqmjjx0kac
2 years ago
This is just security through obscurity. For real security, you need a cryptographically rolling keyboard layout.
2 years ago
This is just security through obscurity. For real security, you need a cryptographically rolling keyboard layout.
My sister in law uses voice recognition and dictation software, so she doesn't even use a keyboard! Totally safe!
Whereas for practical security, having some common substring in all your passwords that you don't type but insert through some global hotkey would be just fine as a mitigation against eavesdrop attacks.
Yes, that's also obscurity, but obscurity is actually good - it only got a (deservedly) bad reputation from when it gets used as a substitute (but I fail to see how using a nonstandard keyboard layout would even count as obscurity in the context of an audio attack, as the clear text reference would surely go through the same layout?)
Brilliant suggestion. Have a TRNG or a CSPRNG (if too poor for a TRNG) choose the next layout at random for you, ideally with every keystroke. Good luck cracking that!
Some places use touchscreen keypads for PIN entry exactly for this reason: to allow randomization, e.g. for opening a locked door, or for authorizing a transaction.
That is interesting.
I’m sure it depends on the application to some extent. I can type my pin in without looking at all, so I can cover it up while doing it. If I had to hunt and peck, it’d easier for an onlooker to observe my slower motions I think.
But if I used the same machine often enough to produce wear specific to me, this randomization would be really useful.
1 reply →
Do they randomize the key locations though?
Otherwise, you leave behind grease where your fingers touched
2 replies →
Could be done by using a device with a display - e.g. an "ereader" - to present a random keyboard layout. But, good luck being efficient typing on that. At that point, better use a different input model.
Or, use techniques such as those in the article, such as random keypresses played during the actual ones.
Some banks went through a phase of this - website would present an on screen keyboard for the password field with a randomized layout.
I'm sure customer frustration was huge.
Even using Vim or Emacs would add some obufsCTRL[dbiobfuscation from all the spurious keystrokes.
...wait, are you telling me Konami shuffling the touch input for e-Amusement PINs[0] was a good idea!?
[0] Okay... deep breath
Konami is a pachinko manufacturer with a side hustle making rhythm games for Japanese arcades. They have an online service that all their games connect to called e-Amusement. You can log into it using an e-Amusement Pass card, and your card is locked to a PIN number you have to set up when you first use it. Cabinets with touchscreens give you a touch keypad, except all the digits are shuffled around, which is a total pain in the ass and you have to do this for every credit.
Indeed. Let me add that how your fingers come into contact with the keys is probably just as important. I recommend a cryptographically rolling choice of dustballs, crumbs, and boogers.
Why not just a keyboard that produces random noise?
Finally, a use for Buffy's Swearing Keyboard.
Or possibly the exact opposite of that, I can't tell if it's a one-to-one mapping on mobile: https://www2.b3ta.com/buffyswear/
(Also, I'm feeling my age now, given how many years have elapsed since that kind of thing passed for internet culture…)
Because the real data stream would still be there, just mixed with some noise. It feels harder to analyze whether the noise sufficiently obscures the real keystrokes than it does to ensure the actual keystrokes reveal no information.