Computer scientists at the University of California at Berkeley have found a new way to crack computer passwords: By listening.
Professor Doug Tygar and graduate student Li Zhuang use off-the-shelf microphones to record keystroke sounds and run the noise through a modified program originally designed to recognize human speech. On its first pass, the program correctly identifies only half the typed letters. The results are then fed through software that spots spelling and grammar errors. Data from these programs are used to train the keystroke recognizer, so that it gets more accurate with each pass. By the third run, ''we get 96 percent of all the characters," said Tygar.
Tygar said that when assigned to crack a 10-digit password, the software replies with 75 possibilities. ''This means we can break into one of every 75 people's accounts, on the first try," he said.
Even more alarming, sound snoopers don't need direct access to the computer. They could aim a sensitive parabolic antenna from a building across the street. They might tap the target's telephone and collect keystroke sounds from its microphone. Many computers even have built-in microphones that ''Trojan horse" software could trick into switching on and relaying the sounds to a remote location.
Tygar said that computer users should adopt alternatives, such as ''two-factor authentication," produced by companies like RSA Security Inc. of Bedford. This method involves two passwords -- the typical kind, and a second numerical one generated by an electronic device. The second password changes once a minute.
''That sort of system would be robust against our attack," said Tygar, ''because you'd never type in the same password twice."
The research was subsidized by the US Postal Service and the National Science Foundation as part of a program to identify computer security threats.