Professor Doug Tygar and graduate student Li Zhuang have proved that it is possible to crack passwords by listening to keystroke sounds even without direct access to the computer.


Boston.com reports that Professor Doug Tygar and graduate student Li Zhuang have conducted a research subsidized by the US Postal Service and the National Science Foundation as part of a program to identify computer security threats.

Using microphones they recorded keystroke sounds and ran the noise through a modified program originally designed to recognize human speech. On its first pass, the program correctly identified only half the typed letters. The results are then fed through a software that spots spelling and grammar errors. Data from these programs are used to train the keystroke recognizer, so that it gets more accurate with each pass. According to Tygar, by the third run they get 96 percent of all the characters.

Tygar said that when assigned to crack a 10-digit password, the software replies with 75 possibilities. He says, “This means we can break into one of every 75 people’s accounts, on the first try”.

Even more alarming, sound snoopers don’t need direct access to the computer. They could aim a sensitive parabolic antenna from a building across the street. They might tap the target’s telephone and collect keystroke sounds from its microphone. Many computers even have built-in microphones that “Trojan horse” software could trick into switching on and relaying the sounds to a remote location.

Tygar suggests that computer users should use “two factor authentication” produced by companies like RSA Security Inc. of Bedford. This method involves two passwords, the typical kind, and a second numerical one generated by an electronic device. The second password changes once a minute.

Tygar said, “That sort of system would be robust against our attack because you’d never type in the same password twice”.

Sharing is caring