What is the idea of passwords with random buttons position

Question

More and more web sites use for an authentication some digits keyboards with random position instead of password. Like this

Could someone explain me the idea of this instead usual login and password?

I have an idea that it seems to be more secure because if you capture traffic of someone you'll get only coordinates clicked and these coordinates are different every time.

But in this case server should transfer the positions of each button to a client to make last be able to display it correctly (4 is top left corner, 8 in bottom left, etc)

If the traffic can be captured so we can capture the position of each digit and coordinates clicked after.

Why is it more stable that common login / password with htts enscrition?

I have seen physical badge readers with keypads that randomize the position of the numbers, presumably to prevent someone from determining which buttons you pressed. Perhaps it was based off of this concept, even though it's not actually needed? — David K, Feb 23 '17 at 13:19
See http://thehackernews.com/2016/11/hack-wifi-password.html — Eugene Osovetsky, Feb 23 '17 at 15:35
I guess it's also helpful if someone is watching you out of the corner of their eye; if the numbers aren't in their usual place and the person can't see clearly, this is helpful. — Academiphile, Feb 23 '17 at 17:32
ugh. this reminds me of the time I entered a PIN for a new debit card at my bank in the bank, memorizing the positions of the keys I hit, only to not have the PIN work at the ATM right outside because the key positions were mirrored. — Michael, Feb 23 '17 at 19:07
http://security.stackexchange.com/q/29742/971, http://security.stackexchange.com/q/22774/971 — D.W., Feb 24 '17 at 11:57
I don't think this is a duplicate, since this is specifically about *randomized* virtual keypads. It may need a bit of reformulating to separate that, though. — Bobson, Feb 24 '17 at 21:16

score 55 · Answer 1 · answered Feb 23 '17 at 13:28

55

Other answers have talked about key loggers, and how they would defeat this mechanism, but I can think of other attacks it would protect against:

Looking at the grease marks on a touch screen where somebody regularly enters the same code. For instance, the code to unlock a phone, or a door entry system where the screen isn't used for anything else.
Shoulder surfing, where the attacker can see the movement of the user's hand, but not what's on the screen. This could be somebody physically behind the user whose view is partially obstructed, or it could be a camera that doesn't have the screen in its field of view.

answered Feb 23 '17 at 13:28

IMSoP

3,780
1
15
19

I think the relative positioning has some bearing. I'm with you, though - seems like something a "movie hacker" would take advantage of.. – Anthony Horne Feb 23 '17 at 13:44
If e.g. a ten-digit keypad is used primarily for entering a six-digit security code, observing that six keys are worn would reduce the search space from 1,000,000 possibilities to 720. If five were worn, the number of possibilities (assuming a six-digit code) would be 1800 or 360, depending upon whether it was obvious which button was used twice. I don't know that a touch screen would normally suffer from such issues, but keyboards certainly can. – supercat Feb 23 '17 at 18:05
3

Slowing down people and making them scan around the numbers may not be the best way to protect against shoulder surfing. – Jon Hanna Feb 23 '17 at 22:54
@JonHanna Sure, it's not fool-proof, but if you can't see the screen, it doesn't matter how long somebody takes to find the right buttons on it, because you still don't know which ones they pressed. They might spend 5 minutes and press the top right corner, but when you get to the screen, a different button will be in the top right corner, so you've learned nothing. – IMSoP Feb 24 '17 at 10:00
@IMSoP and with most systems they might hold their wallet over their hand and key it quickly and you've learned even less. – Jon Hanna Feb 24 '17 at 10:07

Lie Ryan · Accepted Answer · 2017-02-23T12:10:00.747

53

Using a randomized software keyboard for password input is based on the misconception that it can prevent key loggers. It can somewhat effectively prevent hardware key logger from capturing the login data.

In a weak sense, it also prevents some naive software key loggers from capturing login data, however as you correctly mentioned, a slightly better keylogger can trivially take screencaps as well to defeat this measure, and a more sophisticated one can just install a browser add-on to capture the password before it's sent to the server.

Since hardware key logger is much rarer compared to software key loggers, in most sites where such randomized software keyboard is implemented, it is really only a sign of the developer being clueless that such measures are ineffective against most keyloggers.

edited Feb 23 '17 at 12:10

answered Feb 23 '17 at 12:04

Lie Ryan

31,089
6
68
93

23

It is effective against "unprivileged" keyloggers though, i.e. mobile apps that use wireless signal strength or accelerometer information to deduce touch position information. Many apps have sufficient privileges to query either or both, and this is a common threat in the wild. – Simon Richter Feb 23 '17 at 13:28
4

This can also be signaling behaviour. Clueless users are can be convinced that the web page have security measures much easier by using something like this than by other less visible measures. – Theraot Feb 23 '17 at 13:36
10

On phones, if you enter a password often enough, you can see the finger oil if you rotate the device just right. This doesn give you the actual code, but it does give you likely numbers. This method disgards that (though via obstruction) – Martijn Feb 23 '17 at 14:59
1

@Martijn That is what I said in my answer; if I hadn't, you could have posted it as a new answer yourself. Comments on answers are for clarifying or questioning that particular answer, not discussing the question in general. – IMSoP Feb 23 '17 at 15:06
2

@SimonRichter I had no idea that was a thing. Are there any "Good guy" Android apps that demonstrate this? I'd like to see it in action. – TMH Feb 24 '17 at 10:46

score 6 · Answer 3 · answered Feb 23 '17 at 14:25

This is commonly used by banks. As already explained, it provides an additional security against keyloggers. It also prevents the password to be directly stored in the browser, which is poor security practice if no master password is used. It should be noticed anyway that is has an important drawback: it prevents the user from using a long random password stored in a password manager.

The rationale behind that is that banks have no confidence in users to be able to choose and manage strong passwords, so at least they make sure that the user has not stored its password in the browser without a master password.

TL/DR: it adds no security for users actually concerned by best security practices, but it limits the worst security practices that too much users would apply.

I could see this being helpful if it is the PIN in a password + PIN approach, where you need to know both. Make this the fallback if the user refuses to enable real two-factor; at least there would something else that's a little harder to capture. In a world where people re-use passwords all the time, it might be enough protect a bank account from a shared password that was compromised at another site. — Joel Coehoorn, Feb 23 '17 at 18:47

score 3 · Answer 4 · answered Feb 23 '17 at 12:00

3

This is really only protection against a keylogger, as keyloggers now can capture both your keystrokes and your mouse movement information, so by moving the digits around each time it makes the keylogged data useless because they won't be sure what number you pressed.

answered Feb 23 '17 at 12:00

Ryan Kelso

1,230
9
14

1

As you say - only effective against key logger if you actually use a mouse. Just better to use a OTP or 2FA. – Anthony Horne Feb 23 '17 at 13:46

score 0 · Answer 5 · edited Jun 16 '20 at 09:49

1. It is harder to automate entry

The last time I saw this was on a game website where people had the tendency to let trivial bots play for them. If you have traditional pin entry place, you can just program the bot to copy the pin, or click on the designated spots. Now someone would either need to make their bot smarter (possibly even smarter than minimally needed to play the game) before they would be able to run the game fully automated.

Following the same logic, this could also be used to make brute force cracking harder, but there throttling should do the trick so I don't think this is the underlying thought.

2. It discourages people from choosing trivial passcodes

Though I am not sure whether this is the key objective, this has definitely been an effect for me.

I recently used an application where I did not really care much about the security, and considered choosing 1111 as the code for each account because that would be easy to choose and enter.

However, the key randomization made me realize that

This pin matters (even if it is just a little bit)
It would not be quicker to enter 1111 than something like 1835

As a result I ended up with a somewhat less trivial pin code.

The checks are client-side, so #1 only applies to client-side automation. The process also slows down users entering their password, thus they are more likely to simplify their password (so #2 is not true). — Gigi, Jun 29 '17 at 08:16
Point 2 is based on a fixed lenght requirement (e.g. 4 digit pin). — Dennis Jaheruddin, Jul 05 '17 at 10:40

What is the idea of passwords with random buttons position

5 Answers5

1. It is harder to automate entry

2. It discourages people from choosing trivial passcodes

Linked

Related