Davey Winder recently published an artcile in Forbes revealing the results of University of Texas and University of Oklahoma research that was able to accurately predict a password to 93% accuracy by just observing shoulder movements on Zoom. He tells us about the research, and then calms our fears about how unlikely this scenario would play out with similar results in the real world and finally boils it down to what you really need to do to protect your passwords.
If you would like to read the article yourself, here is a link:
If you want the quick overview - here you go.
Study on Keystroke Inference Attacks -
In real life is someone watches you type in a password and then uses observations made to hack your password, its called a shoulder-surfing attack. According to the article, in order to perform the test keystroke inference attacks "Newton's third law of motion was used: whatever your personal typing style, when you press a key, a 'reaction force' in the opposite direction is produced. This force then moves from the fingers on the keyboard all the way to the shoulder muscles and joints, which absorb it. This force creates small and subtle, but measurable, movements of the shoulders. Because each finger, connected by different wrist bones with different joints in the Carpus area, the researchers write, 'the reaction force of a keystroke propagates slightly differently through the arm and shoulder muscles and joints, depending on which finger was used to press the key.'"
Reasons You Probably Shouldn't Panic -
- Most of us aren't so important that the resources required to decode a password through Zoom would be viable.
- The software to decode the movements is not actually in the hands of hackers (although if the universities can create, the hackers probably could too).
- The video must be recorded and be a notably high resolution.
What do you really need to do to protect your Passwords?
Winder suggests "As always, get the basics right and you mitigate the most meaningful threats out there."
1) Use strong and unique passwords that are not shared between services.
2) Apply two-factor authentication wherever you can.
3) Keep your software and operating systems up to date.