Typeprint Security Considered Harmful 

A recent article in Science News (13 Jan 2007) talked about the state of the art in typeprint security (requiring a consistent rhythm to the typing of your password). I see the entire concept as having at least two insurmountable problems with regard to password verification (and probably other uses as well):

1. I don't use my laptop in the same way at all times. Most notably, I log in every day on the bus. The computer’s on my lap, instead of a desk, which probably changes my typing pattern slightly. More drastically, the bus is moving, and the bounciness makes me change the timing between keystrokes.

2. Who types passwords anyway? Most web site passwords are remembered in some fashion (on Mac OS X, in a Keychain). They’re entered automatically by the web browser.

3. Remote login (e.g. via SSH) may have unpredictable latencies which will vary by key, and throw off the scheme.

They’re also thinking of using patterns of mouse movements. This fails too:

1. I use a trackpad on my laptop, a mouse on my desktop computer. The patterns can’t be the same.

2. Sometimes due to incipient carpal tunnel problems, I switch to mousing left-handed. (I had to do this for months a few years ago when I switched desks and came close to serious carpal tunnel syndrome.) In fact, when I use my server, I always mouse left-handed. I’m pretty sure this will result in different patterns as well.

A final technique to identify people people is a writeprint, which analyzes their language usage. This might be better, though I suspect my own writing differs somewhat in writeprint depending on whether I’m writing something formal or informal. 

Posted: Sat - February 3, 2007 at 08:19 PM