Is password entry being recorded on camera a realistic concern?
up vote
80
down vote
favorite
I live in a city where CCTV camera coverage is comprehensive and increasing. Cameras are getting cheaper and higher resolution. Everyone has a video camera in their pocket already, and we are starting to see trends which indicate always-on cameras may become commonplace in other devices like glasses.
It has occurred to me, when out in public and entering my username/password into apps on my phone and laptop, that if a camera could capture both my screen and my keyboard, it could be fairly straightforward for a viewer to grab or guess my credentials from the footage assuming a high enough resolution image and the view not being (too) obscured.
Without going too much into the details of how it would be implemented, the accuracy and cost etc, I have a background in image processing and so am also aware that this would likely be automatable to at least some degree.
So I thought I would ask the community here if this is actually a viable risk? Have there been any known instances of it happening already? Are people thinking about this with respect to the viability of plaintext credential entry into apps in the long run?
passwords user-names
asked yesterday
davnicwil
47647
add a comment |
up vote
80
down vote
favorite
I live in a city where CCTV camera coverage is comprehensive and increasing. Cameras are getting cheaper and higher resolution. Everyone has a video camera in their pocket already, and we are starting to see trends which indicate always-on cameras may become commonplace in other devices like glasses.
It has occurred to me, when out in public and entering my username/password into apps on my phone and laptop, that if a camera could capture both my screen and my keyboard, it could be fairly straightforward for a viewer to grab or guess my credentials from the footage assuming a high enough resolution image and the view not being (too) obscured.
Without going too much into the details of how it would be implemented, the accuracy and cost etc, I have a background in image processing and so am also aware that this would likely be automatable to at least some degree.
So I thought I would ask the community here if this is actually a viable risk? Have there been any known instances of it happening already? Are people thinking about this with respect to the viability of plaintext credential entry into apps in the long run?
passwords user-names
asked yesterday
davnicwil
47647
3
Entering credentials in public is always a risk.
– stackzebra
18 hours ago
2
Related: Snowden's Blanket - He wouldn't use the blanket if there was no risk of seeing him type.
– Mindwin
12 hours ago
add a comment |
up vote
80
down vote
favorite
up vote
80
down vote
favorite
I live in a city where CCTV camera coverage is comprehensive and increasing. Cameras are getting cheaper and higher resolution. Everyone has a video camera in their pocket already, and we are starting to see trends which indicate always-on cameras may become commonplace in other devices like glasses.
It has occurred to me, when out in public and entering my username/password into apps on my phone and laptop, that if a camera could capture both my screen and my keyboard, it could be fairly straightforward for a viewer to grab or guess my credentials from the footage assuming a high enough resolution image and the view not being (too) obscured.
Without going too much into the details of how it would be implemented, the accuracy and cost etc, I have a background in image processing and so am also aware that this would likely be automatable to at least some degree.
So I thought I would ask the community here if this is actually a viable risk? Have there been any known instances of it happening already? Are people thinking about this with respect to the viability of plaintext credential entry into apps in the long run?
passwords user-names
asked yesterday
davnicwil
47647
I live in a city where CCTV camera coverage is comprehensive and increasing. Cameras are getting cheaper and higher resolution. Everyone has a video camera in their pocket already, and we are starting to see trends which indicate always-on cameras may become commonplace in other devices like glasses.
It has occurred to me, when out in public and entering my username/password into apps on my phone and laptop, that if a camera could capture both my screen and my keyboard, it could be fairly straightforward for a viewer to grab or guess my credentials from the footage assuming a high enough resolution image and the view not being (too) obscured.
Without going too much into the details of how it would be implemented, the accuracy and cost etc, I have a background in image processing and so am also aware that this would likely be automatable to at least some degree.
So I thought I would ask the community here if this is actually a viable risk? Have there been any known instances of it happening already? Are people thinking about this with respect to the viability of plaintext credential entry into apps in the long run?
passwords user-names
passwords user-names
asked yesterday
davnicwil
47647
asked yesterday
davnicwil
47647
asked yesterday
davnicwil
47647
asked yesterday
davnicwil
47647
asked yesterday
davnicwil
47647
47647
3
Entering credentials in public is always a risk.
– stackzebra
18 hours ago
2
Related: Snowden's Blanket - He wouldn't use the blanket if there was no risk of seeing him type.
– Mindwin
12 hours ago
add a comment |
3
Entering credentials in public is always a risk.
– stackzebra
18 hours ago
2
Related: Snowden's Blanket - He wouldn't use the blanket if there was no risk of seeing him type.
– Mindwin
12 hours ago
3
3
Entering credentials in public is always a risk.
– stackzebra
18 hours ago
Entering credentials in public is always a risk.
– stackzebra
18 hours ago
2
2
Related: Snowden's Blanket - He wouldn't use the blanket if there was no risk of seeing him type.
– Mindwin
12 hours ago
Related: Snowden's Blanket - He wouldn't use the blanket if there was no risk of seeing him type.
– Mindwin
12 hours ago
add a comment |
5 Answers
5
active
oldest
votes
up vote
86
down vote
Lots of examples. A high-profile and recent example is when Kanye was caught on camera entering his "00000" password to unlock his device.
Shoulder-surfing is one reason why applications do not display the password text on the screen, but show ****** instead.
And this is one reason why multi-factor authentication is so important; even if you know the password, you cannot use it without another factor.
I have even seen viable research into capturing the sound of the keyboard when a user types the password, even over the computer's microphone.
So, yes, you describe a viable risk that the industry has been addressing for a long time. The specifics of high-res cameras is just not a significant enough of a new factor to consider. Shoulder-surfing and keyloggers are a current risk.
The industry knows that it needs to develop something better than passwords, and there are many active attempts to do so, but nothing is mature or stable enough yet.
answered yesterday
schroeder♦
68.9k25146184
28
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
4
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
2
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
2
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
2
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
|
show 12 more comments
up vote
22
down vote
As another example, here are some images from KrebsOnSecurity on ATM Skimmers (devices used to steal ATM credentials)
Hidden camera behind ATM faceplate (source)
Hidden camera glued to corner of ATM (source)
Hidden camera on fake panel of ATM (source)
So yes, it is a very real-world concern.
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
add a comment |
up vote
7
down vote
Also, there have been cases reported where thermal imagers were used to extract a PIN or password from a keyboard just used to enter it - the hotter a key, if time of finger contact is about equal (heat soaks in...), the more recently it has been pressed. This might not present the password on a silver platter due to duplicate keys, different finger dwell times, but can extremely narrow the possible passwords.
answered yesterday
rackandboneman
62136
7
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
add a comment |
up vote
0
down vote
Yes, and this is one of many reasons that you should not be entering passwords, and for the most part should not even know your passwords, except for a password manager master password and device unlock codes/FDE passphrases. For FDE passphrases, you should enter them only when powering on the device, and only in private locations where there are no cameras or observers present.
answered yesterday
R..
3,89711317
9
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
2
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
4
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
1
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
1
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
|
show 9 more comments
up vote
0
down vote
I would say yes, and high resolution imagery is not necessary. Speaking as a statistician, I don't even need to know the exact letter or numeral you touched (on a screen keyboard or regular keyboard), reducing each choice to 2 or 3 possible characters, based on the position of your fingers, makes an electronic guess of your password a tractable problem. Especially I would try likely combinations of letters that form word fragments; e.g. ([FR][EW][DE])="FEE", "FED", or "RED".
Or if numbers, I'd look for combinations that appear in numbers related to you: birthdays, anniversaries, for you, spouse, kids. Your phone number or house address.
On a screen or a real keyboard, I can see when you shift for special characters and guess what they are. And sometimes it is clear which key you hit, depending on the angle of the camera, narrowing some position to exactly one key. The camera can narrow the field of possible passwords considerably, and often in analysis that scores how well passwords match words and dates, the "right" password can be at the top of the scoring list.
For this reason, acronymic phrases can help defeat this. The idea is to memorize a phrase that means something to you, like "If the Seahawks win the championship I'll get drunk and dance a jig." Then make an Acronym: "ITSWTCIGDADAJ". You can teach yourself to replace some of these letters with numerals or special characters.
Without knowing the phrase in your mind, the password letters are random and uncorrelated, so unless the camera can tell which keys you hit exactly, it still won't be able to guess at the correct sequence by looking for matches to real words or dates.
answered 3 hours ago
Amadeus
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
86
down vote
Lots of examples. A high-profile and recent example is when Kanye was caught on camera entering his "00000" password to unlock his device.
Shoulder-surfing is one reason why applications do not display the password text on the screen, but show ****** instead.
And this is one reason why multi-factor authentication is so important; even if you know the password, you cannot use it without another factor.
I have even seen viable research into capturing the sound of the keyboard when a user types the password, even over the computer's microphone.
So, yes, you describe a viable risk that the industry has been addressing for a long time. The specifics of high-res cameras is just not a significant enough of a new factor to consider. Shoulder-surfing and keyloggers are a current risk.
The industry knows that it needs to develop something better than passwords, and there are many active attempts to do so, but nothing is mature or stable enough yet.
answered yesterday
schroeder♦
68.9k25146184
28
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
4
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
2
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
2
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
2
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
|
show 12 more comments
up vote
86
down vote
Lots of examples. A high-profile and recent example is when Kanye was caught on camera entering his "00000" password to unlock his device.
Shoulder-surfing is one reason why applications do not display the password text on the screen, but show ****** instead.
And this is one reason why multi-factor authentication is so important; even if you know the password, you cannot use it without another factor.
I have even seen viable research into capturing the sound of the keyboard when a user types the password, even over the computer's microphone.
So, yes, you describe a viable risk that the industry has been addressing for a long time. The specifics of high-res cameras is just not a significant enough of a new factor to consider. Shoulder-surfing and keyloggers are a current risk.
The industry knows that it needs to develop something better than passwords, and there are many active attempts to do so, but nothing is mature or stable enough yet.
answered yesterday
schroeder♦
68.9k25146184
28
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
4
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
2
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
2
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
2
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
|
show 12 more comments
up vote
86
down vote
up vote
86
down vote
Lots of examples. A high-profile and recent example is when Kanye was caught on camera entering his "00000" password to unlock his device.
Shoulder-surfing is one reason why applications do not display the password text on the screen, but show ****** instead.
And this is one reason why multi-factor authentication is so important; even if you know the password, you cannot use it without another factor.
I have even seen viable research into capturing the sound of the keyboard when a user types the password, even over the computer's microphone.
So, yes, you describe a viable risk that the industry has been addressing for a long time. The specifics of high-res cameras is just not a significant enough of a new factor to consider. Shoulder-surfing and keyloggers are a current risk.
The industry knows that it needs to develop something better than passwords, and there are many active attempts to do so, but nothing is mature or stable enough yet.
answered yesterday
schroeder♦
68.9k25146184
Lots of examples. A high-profile and recent example is when Kanye was caught on camera entering his "00000" password to unlock his device.
Shoulder-surfing is one reason why applications do not display the password text on the screen, but show ****** instead.
And this is one reason why multi-factor authentication is so important; even if you know the password, you cannot use it without another factor.
I have even seen viable research into capturing the sound of the keyboard when a user types the password, even over the computer's microphone.
So, yes, you describe a viable risk that the industry has been addressing for a long time. The specifics of high-res cameras is just not a significant enough of a new factor to consider. Shoulder-surfing and keyloggers are a current risk.
The industry knows that it needs to develop something better than passwords, and there are many active attempts to do so, but nothing is mature or stable enough yet.
answered yesterday
schroeder♦
68.9k25146184
edited 16 hours ago
answered yesterday
schroeder♦
68.9k25146184
answered yesterday
schroeder♦
68.9k25146184
answered yesterday
schroeder♦
68.9k25146184
68.9k25146184
28
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
4
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
2
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
2
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
2
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
|
show 12 more comments
28
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
4
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
2
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
2
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
2
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
28
28
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
I would also add that there has been a case where a high-res photo was taken of a finger and used to create a replica fingerprint and used to open the biometrics of a phone. So, yes, cameras are a threat.
– schroeder♦
yesterday
4
4
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
I think the new factor with cameras is the potential for scale through both wider passive capture and automation
– davnicwil
yesterday
2
2
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
@davnicwil yep, that's a good point too. When designing the camera placement in an office building, we had to perform a number of calculations on the risks of capturing people typing. What I'm saying is that the problem space is far from new.
– schroeder♦
yesterday
2
2
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
@Bakuriu I might humbly suggest that not everyone lives in Italy. Especially in cases where a company has sensitive info to protect, or high-value goods, further video surveillance may be warranted to minimize liability and risk.
– Doktor J
yesterday
2
2
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
@DoktorJ That was an example. The point is: the number of situations when installing cameras to record employees at their computers in an office are extremely rare, since the office itself should be a physically controlled place. If you have outsiders/clients etc coming and going all the time that's not really "just an office" in my mind and poses different security requirements.
– Bakuriu
yesterday
|
show 12 more comments
up vote
22
down vote
As another example, here are some images from KrebsOnSecurity on ATM Skimmers (devices used to steal ATM credentials)
Hidden camera behind ATM faceplate (source)
Hidden camera glued to corner of ATM (source)
Hidden camera on fake panel of ATM (source)
So yes, it is a very real-world concern.
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
add a comment |
up vote
22
down vote
As another example, here are some images from KrebsOnSecurity on ATM Skimmers (devices used to steal ATM credentials)
Hidden camera behind ATM faceplate (source)
Hidden camera glued to corner of ATM (source)
Hidden camera on fake panel of ATM (source)
So yes, it is a very real-world concern.
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
add a comment |
up vote
22
down vote
up vote
22
down vote
As another example, here are some images from KrebsOnSecurity on ATM Skimmers (devices used to steal ATM credentials)
Hidden camera behind ATM faceplate (source)
Hidden camera glued to corner of ATM (source)
Hidden camera on fake panel of ATM (source)
So yes, it is a very real-world concern.
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
As another example, here are some images from KrebsOnSecurity on ATM Skimmers (devices used to steal ATM credentials)
Hidden camera behind ATM faceplate (source)
Hidden camera glued to corner of ATM (source)
Hidden camera on fake panel of ATM (source)
So yes, it is a very real-world concern.
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
answered yesterday
BlueRaja - Danny Pflughoeft
1,5171018
1,5171018
add a comment |
add a comment |
up vote
7
down vote
Also, there have been cases reported where thermal imagers were used to extract a PIN or password from a keyboard just used to enter it - the hotter a key, if time of finger contact is about equal (heat soaks in...), the more recently it has been pressed. This might not present the password on a silver platter due to duplicate keys, different finger dwell times, but can extremely narrow the possible passwords.
answered yesterday
rackandboneman
62136
7
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
add a comment |
up vote
7
down vote
Also, there have been cases reported where thermal imagers were used to extract a PIN or password from a keyboard just used to enter it - the hotter a key, if time of finger contact is about equal (heat soaks in...), the more recently it has been pressed. This might not present the password on a silver platter due to duplicate keys, different finger dwell times, but can extremely narrow the possible passwords.
answered yesterday
rackandboneman
62136
7
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
add a comment |
up vote
7
down vote
up vote
7
down vote
Also, there have been cases reported where thermal imagers were used to extract a PIN or password from a keyboard just used to enter it - the hotter a key, if time of finger contact is about equal (heat soaks in...), the more recently it has been pressed. This might not present the password on a silver platter due to duplicate keys, different finger dwell times, but can extremely narrow the possible passwords.
answered yesterday
rackandboneman
62136
Also, there have been cases reported where thermal imagers were used to extract a PIN or password from a keyboard just used to enter it - the hotter a key, if time of finger contact is about equal (heat soaks in...), the more recently it has been pressed. This might not present the password on a silver platter due to duplicate keys, different finger dwell times, but can extremely narrow the possible passwords.
answered yesterday
rackandboneman
62136
answered yesterday
rackandboneman
62136
answered yesterday
rackandboneman
62136
answered yesterday
rackandboneman
62136
62136
7
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
add a comment |
7
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
7
7
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
My relatively cheap chinese door lock have a (I don't know if this is intentionaly or it just happened) way off deterring shoulder-surfers: Only the first and the last n digits matters. So, if the code is 1234, if you are suspicious somebody is watching, you could enter 124579413245430234, and most snoopers would have lost track of your keys by then. All keys would have the same temperature and greasiness also.
– Lenne
16 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
@Lenne but if someone can (secretly?) record you two or more times, instead of just shoulder-surfing, can't they figure out actual code by comparing few inputs? :)
– Ivan Kolmychek
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
Sure, but even if something isn't 100% protection, everything which makes it harder will stop some, and delay the rest
– Lenne
7 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
@Lenne that lock could be much improved by not accepting an EXACT entered number combination for several attempts....
– rackandboneman
5 hours ago
add a comment |
up vote
0
down vote
Yes, and this is one of many reasons that you should not be entering passwords, and for the most part should not even know your passwords, except for a password manager master password and device unlock codes/FDE passphrases. For FDE passphrases, you should enter them only when powering on the device, and only in private locations where there are no cameras or observers present.
answered yesterday
R..
3,89711317
9
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
2
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
4
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
1
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
1
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
|
show 9 more comments
up vote
0
down vote
Yes, and this is one of many reasons that you should not be entering passwords, and for the most part should not even know your passwords, except for a password manager master password and device unlock codes/FDE passphrases. For FDE passphrases, you should enter them only when powering on the device, and only in private locations where there are no cameras or observers present.
answered yesterday
R..
3,89711317
9
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
2
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
4
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
1
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
1
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
|
show 9 more comments
up vote
0
down vote
up vote
0
down vote
Yes, and this is one of many reasons that you should not be entering passwords, and for the most part should not even know your passwords, except for a password manager master password and device unlock codes/FDE passphrases. For FDE passphrases, you should enter them only when powering on the device, and only in private locations where there are no cameras or observers present.
answered yesterday
R..
3,89711317
Yes, and this is one of many reasons that you should not be entering passwords, and for the most part should not even know your passwords, except for a password manager master password and device unlock codes/FDE passphrases. For FDE passphrases, you should enter them only when powering on the device, and only in private locations where there are no cameras or observers present.
answered yesterday
R..
3,89711317
answered yesterday
R..
3,89711317
answered yesterday
R..
3,89711317
answered yesterday
R..
3,89711317
3,89711317
9
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
2
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
4
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
1
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
1
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
|
show 9 more comments
9
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
2
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
4
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
1
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
1
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
9
9
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
There are certainly situations where you need to know your password, e.g. a PIN or to unlock your phone or home.
– forest
yesterday
2
2
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
I personally don't trust a password manager enough, so I would recommend compiling an open source one written in a language you understand enough to read the code, or at least a trusted open source password manager compiled by you.
– Grant Garrison
20 hours ago
4
4
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
Password managers are very much "one basket for all your eggs" - the relative cost/benefit of password vault style software might be a good question separately.
– Criggie
19 hours ago
1
1
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
But then you have to enter your PW manager password, so if they do capture one password, it's one for everything. Passworded e-ticketing apps (as I see at the station) are almost designed to force you to enter a password in a crowded public place; they appear to use short timeouts or lock when the device locks.
– Chris H
17 hours ago
1
1
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
How would you use a password manager for unlocking your smartphone?
– Pavel
17 hours ago
|
show 9 more comments
up vote
0
down vote
I would say yes, and high resolution imagery is not necessary. Speaking as a statistician, I don't even need to know the exact letter or numeral you touched (on a screen keyboard or regular keyboard), reducing each choice to 2 or 3 possible characters, based on the position of your fingers, makes an electronic guess of your password a tractable problem. Especially I would try likely combinations of letters that form word fragments; e.g. ([FR][EW][DE])="FEE", "FED", or "RED".
Or if numbers, I'd look for combinations that appear in numbers related to you: birthdays, anniversaries, for you, spouse, kids. Your phone number or house address.
On a screen or a real keyboard, I can see when you shift for special characters and guess what they are. And sometimes it is clear which key you hit, depending on the angle of the camera, narrowing some position to exactly one key. The camera can narrow the field of possible passwords considerably, and often in analysis that scores how well passwords match words and dates, the "right" password can be at the top of the scoring list.
For this reason, acronymic phrases can help defeat this. The idea is to memorize a phrase that means something to you, like "If the Seahawks win the championship I'll get drunk and dance a jig." Then make an Acronym: "ITSWTCIGDADAJ". You can teach yourself to replace some of these letters with numerals or special characters.
Without knowing the phrase in your mind, the password letters are random and uncorrelated, so unless the camera can tell which keys you hit exactly, it still won't be able to guess at the correct sequence by looking for matches to real words or dates.
answered 3 hours ago
Amadeus
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
I would say yes, and high resolution imagery is not necessary. Speaking as a statistician, I don't even need to know the exact letter or numeral you touched (on a screen keyboard or regular keyboard), reducing each choice to 2 or 3 possible characters, based on the position of your fingers, makes an electronic guess of your password a tractable problem. Especially I would try likely combinations of letters that form word fragments; e.g. ([FR][EW][DE])="FEE", "FED", or "RED".
Or if numbers, I'd look for combinations that appear in numbers related to you: birthdays, anniversaries, for you, spouse, kids. Your phone number or house address.
On a screen or a real keyboard, I can see when you shift for special characters and guess what they are. And sometimes it is clear which key you hit, depending on the angle of the camera, narrowing some position to exactly one key. The camera can narrow the field of possible passwords considerably, and often in analysis that scores how well passwords match words and dates, the "right" password can be at the top of the scoring list.
For this reason, acronymic phrases can help defeat this. The idea is to memorize a phrase that means something to you, like "If the Seahawks win the championship I'll get drunk and dance a jig." Then make an Acronym: "ITSWTCIGDADAJ". You can teach yourself to replace some of these letters with numerals or special characters.
Without knowing the phrase in your mind, the password letters are random and uncorrelated, so unless the camera can tell which keys you hit exactly, it still won't be able to guess at the correct sequence by looking for matches to real words or dates.
answered 3 hours ago
Amadeus
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
up vote
0
down vote
I would say yes, and high resolution imagery is not necessary. Speaking as a statistician, I don't even need to know the exact letter or numeral you touched (on a screen keyboard or regular keyboard), reducing each choice to 2 or 3 possible characters, based on the position of your fingers, makes an electronic guess of your password a tractable problem. Especially I would try likely combinations of letters that form word fragments; e.g. ([FR][EW][DE])="FEE", "FED", or "RED".
Or if numbers, I'd look for combinations that appear in numbers related to you: birthdays, anniversaries, for you, spouse, kids. Your phone number or house address.
On a screen or a real keyboard, I can see when you shift for special characters and guess what they are. And sometimes it is clear which key you hit, depending on the angle of the camera, narrowing some position to exactly one key. The camera can narrow the field of possible passwords considerably, and often in analysis that scores how well passwords match words and dates, the "right" password can be at the top of the scoring list.
For this reason, acronymic phrases can help defeat this. The idea is to memorize a phrase that means something to you, like "If the Seahawks win the championship I'll get drunk and dance a jig." Then make an Acronym: "ITSWTCIGDADAJ". You can teach yourself to replace some of these letters with numerals or special characters.
Without knowing the phrase in your mind, the password letters are random and uncorrelated, so unless the camera can tell which keys you hit exactly, it still won't be able to guess at the correct sequence by looking for matches to real words or dates.
answered 3 hours ago
Amadeus
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I would say yes, and high resolution imagery is not necessary. Speaking as a statistician, I don't even need to know the exact letter or numeral you touched (on a screen keyboard or regular keyboard), reducing each choice to 2 or 3 possible characters, based on the position of your fingers, makes an electronic guess of your password a tractable problem. Especially I would try likely combinations of letters that form word fragments; e.g. ([FR][EW][DE])="FEE", "FED", or "RED".
Or if numbers, I'd look for combinations that appear in numbers related to you: birthdays, anniversaries, for you, spouse, kids. Your phone number or house address.
On a screen or a real keyboard, I can see when you shift for special characters and guess what they are. And sometimes it is clear which key you hit, depending on the angle of the camera, narrowing some position to exactly one key. The camera can narrow the field of possible passwords considerably, and often in analysis that scores how well passwords match words and dates, the "right" password can be at the top of the scoring list.
For this reason, acronymic phrases can help defeat this. The idea is to memorize a phrase that means something to you, like "If the Seahawks win the championship I'll get drunk and dance a jig." Then make an Acronym: "ITSWTCIGDADAJ". You can teach yourself to replace some of these letters with numerals or special characters.
Without knowing the phrase in your mind, the password letters are random and uncorrelated, so unless the camera can tell which keys you hit exactly, it still won't be able to guess at the correct sequence by looking for matches to real words or dates.
answered 3 hours ago
Amadeus
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
Amadeus
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 3 hours ago
Amadeus
101
answered 3 hours ago
Amadeus
101
101
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Amadeus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197250%2fis-password-entry-being-recorded-on-camera-a-realistic-concern%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
3
Entering credentials in public is always a risk.
– stackzebra
18 hours ago
2
Related: Snowden's Blanket - He wouldn't use the blanket if there was no risk of seeing him type.
– Mindwin
12 hours ago