User Perceptions of Defensive Techniques Against Keystroke Timing Attacks During Password Entry

To protect the password from visual attacks, most password entry screens use a password masking scheme that displays a series of placeholder characters (e.g., dots and asterisks) instead of the actual password. Recent research has however shown the security provided by this form of password masking to be weak against keystroke timing-analytics attacks. The underlying idea behind these attacks is that, even when a password is masked as described above, the timing between consecutive placeholder characters gives away information about the password since the relative locations of characters on the keyboard dictate how fast fingers move between them. In this paper we argue that, for security-sensitive applications, password masking mechanisms ought to hide the true intervals between password characters in order to overcome these kinds of attacks. Making adjustments to these timings however has the potential to pose usability issues given the fact that the typing would not perfectly align with the display of typed content. The paper proposes 3 different password masking schemes and undertakes a usability evaluation on them. Our early results suggest that user receptiveness to two of the schemes is not much worse than that seen with the conventional (insecure) scheme.