The Heated Debate Around Password Security

Despite all of the headlines about hacks and data breaches that show up far too frequently in our news feeds, even the most basic of security guidelines are regularly disregarded. When people use simplistic, easy to guess passwords to secure their accounts, for example, it makes the work of bad actors much easier. A recent report by Forbes revealed that 59% of Americans use a person’s name or birthday in their password. And these bad passwords are reused an average of 14 times for various different accounts. But if you use a more complex, unguessable password, then you are safe, right?

Not exactly. Better passwords will certainly help to keep your accounts more secure, but cyber crooks always seem to be one step ahead of the current best security practices. One of the latest tools to emerge in the toolkits of unscrupulous hackers is called a thermal attack. With the cost of capable thermal cameras now below $150, this type of exploit is becoming more common. To pull off this attack, a thermal image of a keyboard, or other input device, is captured within about 30 to 60 seconds after a user has typed in their login credentials. Areas of the input device that have been touched will be warmer than other areas, and the more recently they were touched, the warmer they are. That provides enough information to determine what was pressed and, more or less, in what order.

Thermal attacks are not an entirely new concept, but the rate of success has varied quite a bit between studies. Researchers from the University of Glasgow have just published their work that improves upon the technique by incorporating deep learning into the process. By doing so, they have made it possible to locate the position of a keyboard in a thermal image, determine which keys were pressed with a high degree of accuracy (including keys pressed multiple times), distinguish between the username and password portions of the entry, and determine the order in which keys were pressed.

Called ThermoSecure, the technique first uses a Mask R-CNN implementation to determine the exact positioning of the keyboard within the thermal image. Naturally, if this positioning information is inaccurate, all downstream calculations will also be off. A typical keyboard layout is then assumed, and a blob detection algorithm is used to determine which keys have been pressed. Next, a K-mean clustering algorithm was employed to detect clusters of key presses, which provides information about keys that have been pressed more than once. The order of key presses is determined by using a simple algorithm that sorts the pressed keys by their mean, minimum, and maximum temperatures. Finally, the username and password are separated by using the largest temperature transition threshold as a delimiter.

A pair of user studies were conducted to assess the utility of ThermoSecure under real world conditions. It was found that 86% of passwords could be recovered when the thermal images were captured within 20 seconds. That dropped to 76% after 30 seconds, and 62% after 60 seconds. As might well be expected, the technique was most effective with shorter passwords — 16 character passwords were revealed 67% of the time, whereas six character passwords were discovered 100% of the time.

Some practical safety tips also came out of the user studies. It was found, for example, that it was more difficult to recover passwords from touch typists than hunt-and-peck keyboard users, the latter group tending to leave their fingers on keys for longer. Keyboard material also mattered, with ABS plastics retaining heat considerably longer than PBT plastics. Longer passwords do help with security, to be sure, but thanks to tricks like thermal attacks, they may not be enough by themselves.