36

Is it a bad idea to post a photo of your keyboard to social media?

Can I look at a photo of a keyboard and determine the password of an account?

Assuming a certain (set of) password(s) is the most commonly typed character sequence on a given keyboard:

  • Is the resolution in the photo of that keyboard sufficient to determine the most frequently used set of keys, by analyzing the grease patterns on them?

  • If I know the most frequently used keys, is a brute force attack now feasible, since I can limit the size of the dictionary?

This question is inspired by a time I saw a door protected by a numeric keypad, where the paint was missing on three of the keys. The room number was three digits, none of which had paint on their respective keys. Unsurprisingly, the combination was the room number reversed.

Michael
  • 2,391
  • 2
  • 19
  • 36
formicophobia
  • 515
  • 4
  • 9
  • 13
    Just another idea: Maybe the **keybord layout** gives a hint on which characters are in the password. English users won't for example use german umlauts. – Lukas May 13 '16 at 11:44
  • 2
    Just want to point out an outlier in this method: Gamers. My WASD keys are far, far more worn than anything else, spacebar included. EDIT: Read the comments on some answers, others have mentioned this. – WeRelic May 13 '16 at 14:00
  • 88
    "Based on our analysis, this gamer's password is some combination of W-A-S-D" – Digital Chris May 13 '16 at 14:01
  • 1
    I don't even remember when I used (needed to type) password for SE/SO/gmail/facebook... well for any site if that mattares except internet banking, which I do not store inside browser, and I use iOS app (with fingerprint auth) for int. banking. So if you have picture of my keyboard you would see wsad worn off and n, m, p because those letters are "scratched" by my nails. (keyboard since 2008). – Kyslik May 13 '16 at 18:24
  • http://craphound.com/images/digital-lock-thumb.jpg – Richard May 13 '16 at 19:08
  • Just a note - this isn't too farfetched! After all, [hackers were able to reproduce Wolfgang Schauble, Germany’s interior minister, fingerprint from just a photo.](https://www.wired.com/2008/03/hackers-publish/). – BruceWayne May 13 '16 at 19:48
  • I have a very old keyboard, and most of the letters on the keycaps in the home row are worn off from use. Only one of those letters is in my password. (so I've just given out more information about my password than anyone could discern by looking at my keyboard) – Johnny May 13 '16 at 22:35
  • An interesting alternative approach is the sound of each key may give away your password. Spooks (the TV show) bugged a guy's keyboard, instructed him via social engineering to type a sheet of preset text, and then they were able to determine the keys pressed in his password at the start of the day. This seems completely plausable to me! – user3791372 May 14 '16 at 00:45
  • I game so much that my W key broke. Good luck. – ave May 15 '16 at 11:22
  • 2
    To ensure that such a picture can't leak any additional information about your password, the best approach is to post the password as well. – ruakh May 15 '16 at 19:21

7 Answers7

51

In some cases yes, you can guess the most frequently used keys by the wear marks. That's how I know that apparently I use the L, M, N, A and E keys a lot - the keys are now just black, the letter is faded.

And one special key being significantly more used than the others - unless it's "{", "}" or ";" and you happen to be a programmer - could allow to include that in a bruteforcing, or exclude others (this is definitely NOT my keyboard, but still):

dirty keyboard - not mine!

But most people don't use the keyboard for just their passwords, and the wear pattern is also influenced by the stroke direction, angle and pressure - keys farther down the keyboard will be pressed differently from those nearer. The keys I wear faster appear to be exactly under the hand that controls them, and now that I noticed, I hit them harder than the rest (OK, also I'm a horrible typist).

The keyboard might hint (weakly, at that) at what the most frequent typed word, or anagrams thereof, might be. But that's not the same as your password except in very specific cases (e.g. an entry keypad).

In even more specific cases such as heat-conducting entry keypad, FIR or strong UV picture taken immediately after typing so that residual heat or fluorescence or phase interference from skin oils may be appreciated, you might be able to get something. But an ordinary picture conveys no such information.

So my opinion would be that keyboard pictures are mostly harmless.

On the other hand, I sometimes see Post-It with letters and numbers on them attached to monitors and on woodboards behind selfied people, so I'd also say that it's always a very good idea to review the photos (as well as whatever else) you post to the social media, looking at the goods with an attacker's eye:

  • inside view of (broken/defective/jimmied?) locks and/or brand names useful to research approaches
  • hints about location (this might be relevant to determine whether you're holidaying abroad, and estimate how long your home will be vacant)
  • valuable items (might give people ideas either about them, or about your wealth, which also could give people ideas)
  • discrepancies between what's shown and what you told anybody who might get to know, such as employer, insurance company, significant other(s), etc.

At least once, some months after this answer was posted, the last case actually happened.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • 15
    As a gamer I have worn out my WASD keys, along with the left shift and control, and space. Good luck guessing my password. – topher May 13 '16 at 10:44
  • 24
    @topher: it's WasDdASw, isn't it? Or maybe IDDQD. – Steve Jessop May 13 '16 at 11:04
  • 12
    There was a very public example a year ago of a documentary filming people at their workplace at a French television channel also inadvertently filming passwords pinned to the wall behind them (notably their youtube account password). The irony is that the documentary was about the large-scale cyber-attack that had just the day before knocked the channel off the airwaves for several hours! In French: https://fr.wikipedia.org/wiki/Cyberattaque_contre_TV5_Monde http://www.ladepeche.fr/article/2015/04/10/2084648-tv5-monde-laisse-trainer-mots-passe-devant-cameras-journaux-televises.html – Law29 May 13 '16 at 11:29
  • 9
    @SteveJessop IDDQD. You just brought me back in time. :) – JoErNanO May 13 '16 at 11:38
  • 25
    A few years ago, I saw a video of the Italian parliament, the seats seen from above and behind. Apart from a politician playing Solitaire on his tablet, another was logging into her mail. Her tablet *magnified the letters being used*, and the video resolution was enough to show her using her name plus a number (possibly date of birth?) as a password. The hilarious thing was that a few days earlier there had been a *scandal* whereby parties unknown had been accused of raiding that particular political group's private emails, using *advanced techniques*. Yea, right. – LSerni May 13 '16 at 11:44
  • 2
    @lserni shoulder surfing is a very advanced technique you know... – ratchet freak May 13 '16 at 13:57
  • Here's an example for why this kind of attack won't work: At my job, I type a lot - and a lot of things are about my product, which happens to be "Orange". The wear and tear on my keyboard would therefore show the word "Orange", once you've decoded those letters to form a word. Unfortunately for the attacker, my password, which is only typed once or twice a day to log in, is "Banana". – Jake May 13 '16 at 16:48
  • 1
    Damn, I wasn't able to log into your account with 'enamel' – childofsoong May 13 '16 at 19:57
  • 1
    @childofsoong, that's because after noticing how my keys had lost their *enamel*, I tried changing my password to *dirt* (mandatory xkcd link: https://xkcd.com/237/) – LSerni May 13 '16 at 22:05
  • @ratchetfreak for our newspapers surely it is. Here http://www.ilfattoquotidiano.it/2013/04/24/lespresso-hacker-rubano-mail-di-eletti-m5s-e-minacciano-di-pubblicarle/573824/ (link in Italian) they are in awe at how, after stealing a password, the hackers got access to *past* emails (emails stored in the mailbox before the password was stolen). They conclude that... this operation *must have started even before the guys were elected*. – LSerni May 13 '16 at 22:10
  • My 2012 laptop's keyboard has not yet worn out – Suici Doga May 15 '16 at 06:27
  • Fingernail length can play a part in what key labels rub off. If one were to scratch certain keys, it would look like they're pressed more than they are. – user3791372 May 15 '16 at 19:56
18

There are two different scenarios. This would be a valid question if the keyboard is used only for password typing. A numeric keypad on a door, that's something you shouldn’t post on social media. But you can argue this by saying that there are special characters on your keyboard which may be included in your credentials, because normally we don’t use those characters much in day-to-day work. So you better have a look at your keyboard before you post pics on social media :)

Dilan
  • 181
  • 6
  • 4
    Right, daily usage certainly covers the letters. I suppose that someone might figure out "hmm, you're not a programmer, and the `{[` key on your keyboard is really dusty which suggests you don't use those characters much, but the `}]` key isn't dusty", and conclude you probably have either a `}` or `]` in at least one of your passwords. So there's an information leak in principle but probably not major. – Steve Jessop May 13 '16 at 11:02
  • 3
    Presumably, they'd think every C++ programmer's passwords are full of !, &, and *. PHP people use a ton of $ in their passwords! –  May 13 '16 at 14:48
  • @WilliamKappler Well, as far as my experience goes, there are lots of tech-oriented people that end up using surprisingly easy passwords (at least for humans). I lost count how many times I found a dev machine or a server with a password in the likes of "123456" or "password". – T. Sar May 13 '16 at 17:45
  • @ThalesPereira simple; tech-oriented peeps know that no matter what password you use if you are target you are most likely going to get "hacked"... or passwd gets leaked etc. – Kyslik May 13 '16 at 18:13
  • 2
    At my old high school, I helped maintain the computer lab. The central server's root password was "theusual". There were almost always students in the room, and so if one teacher forgot the root password and asked a colleague, they could just reply "the usual" without the students noticing. At least that was the intention, I guess. (That was before InfoSec in schools became a thing. Or even computers. The lab was volunteer-supplied, volunteer-staffed, and volunteer-taught. The central server was running the brandnew shiny Debian 1.1 release, the student PCs MS-DOS 6.22. Fun times.) – Jörg W Mittag May 15 '16 at 16:19
6

Only if the sole purpose of the keyboard is to type one password.

Otherwise, you'll find that more frequently used keys such as vowels, WASD, and modifiers will also have oil stains and signs of wear. It becomes especially more difficult if the password is a passphrase containing natural language.

  • 1
    Exactly. Keyboards that are mostly only used for passwords (door locks) are very vulnerable for this. A keyboard on a console of a server, perhaps too. – Konerak May 15 '16 at 08:31
3

The biggest difference is in scale. A keypad on a lock is generally only used to type the password, so the password keys are the only ones being used and worn. "Any given keyboard" is generally used for much more than only typing passwords.

There are many other attacks used on keypads: video cameras watch you enter your pin, heat sensing (flir), or even using fingerprint powder to see the most used keys. (Thanks Brian Brushwood)

I battle this by using my first three fingers to cover the entire row of numbers, and I go through and touch every key, regardless if it's in the combo.

Stephen Spencer
  • 1,042
  • 8
  • 8
2

You need to clarify the term "keyboard". If you take a pic of my keyboard I am writing this text. You will surely notice some patterns and missing letters from my typing. But be aware that most of the time such keyboards are not used to enter passwords at all. Typically you rather get a heat map of the frequently used chars for a certain natural language. E.g. my a, c, e and n are no longer visible.

I thought about my passwords. When I use natural language to form complex words in it, I of course tend to use the most common chars for my language. When I use or am forced to use special chars, etc. they get hardly used in other scenarios.

Now since you are talking about security keyboards, whose purpose is entering a password the answer is "maybe". If many people use one single password all over, then of course the patterns will be visible over time and it should be possible to create permutations of the used digits or chars. How ever, if many people use different passwords on this keyboard you will again only see the patterns of the frequently used digits or chars.

This will reduce the search space, but may be not enough to actually get the password as there may be other means of protection, e.g. locking the lock after n failed attempts.

Samuel
  • 708
  • 5
  • 13
1

I think it would be possible to somewhat significantly reduce the search set, but it largely depends on the resolution of the picture and the worn state of the keyboard. With a visibly worn or dirty keyboard (dirt on the edge of keys could serve the same purpose), you would first establish the possible alphabet, with each key weighted at 1.0. Then establish a baseline. Analyze LOTS of photos of keyboards for which you already know the password to, and weight the globally most used keys for a specific culture lower than the rest. This process will reduce vowels weight for example. Then reduce the alphabet by removing the least used keys (since a password is likely to be typed in relatively often), and prepare a dictionary with the keys you have left.

All this is pretty pointless however, there are much easier ways to hack someone than bruteforcing their password. So long as you use a relatively long password (8+ chars) and include symbols, upper and lower case, and numbers, there is very little chance someone will obtain your password by bruteforcing it.

Drunken Code Monkey
  • 221
  • 1
  • 4
  • 1
    I'm pretty sure that password-typing is a negligible fraction of what happens on any general-purpose keyboard. If that's the case, analyzing the keyboard tells you so little about passwords that it may as well be zero. – David Richerby May 14 '16 at 06:40
0

Keyboards wise, I'd consider this a minor concern unless I was using the same password for everything. If you're using a different password for everything and changing them reasonably regularly, you're probably fine. Add this to the fact that if you're using the keypad for other things you're going to get a much different wear pattern than just P A S W O R D being worn, you've probably not much to worry about.

If like me you're an avid FPS player, (and unlike me you've got one password for everything) by the time wear is visible on the password keys, your WSAD keys are going to be worn as well, you're probably ok.

That said, change your passwords regularly and use a random generator to create memorable random passwords. The Dice PassPhrase Generator is a good place to start. With a bit of excel wizardry you can create your own password generator based off these principals and presto - memorable random passwords.

Miller86
  • 212
  • 1
  • 7