Based in Norway, Per Thorsheim is an independent security adviser for governments as well as organizations worldwide. He is also the founder of PasswordsCon.org, an annual conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference invites security professionals & academic researchers to better understand and improve security.

In part one of our discussion with Per, we examined two well-known forms of authentication – passwords and hardware. In this segment, he talks about a lesser known form -biometrics and the use of keystroke dynamics to identify individuals.

Per explains, “Keystroke dynamics, researchers have been looking at this for many, many years. It’s still an evolving piece of science. But it’s being used in real life scenarios with banks. I know at least there’s one online training company in the US that’s already using keystroke dynamics to verify if the correct person is doing the online exam. What they do is measure how you type on a keyboard. And they measure the time between every single keystroke, when you are writing in password or a given sentence. And they also look for how long you keep a button pressed and a few other parameters.”

What’s even more surprising is that it is possible to identify one’s gender using keystroke dynamics. Per says, “With 7, 8, 9 keystrokes, they would have a certainty in the area of 70% or more…and the more you type, if you go up to 10, 11, 12, 15 characters, they would have even more data to figure out if you were male or female.”

Those who don’t want to be profiled by their typing gait can try Per Thorshim’s and another infosec expert Paul Moore’s Keyboard Privacy extension.

Per Thorsheim: Keystrokes dynamics... There have been researchers looking into this for many, many years already. But still, it's a really a modeling piece of science. But it is also being used today in real-life scenarios with banks. I know that there is at least one online training company in the U.S. who is already using keystroke dynamics, to verify if the correct person is actually doing the online exam as an example. What they do is they measure how you type on your keyboard and they measure the time between every single keystroke when you're writing in a password or a given sentence. They also look out for how long you keep each button depressed and a few other parameters.

Now, this sounds weird, I know. But I learned from researchers in France, they have been collecting this kind of data from a lot of men and women, and talk about men and women being different in many different areas. But I had never guessed. I would have never believed until they told me that men and women in general type differently on a keyboard, using normal standard 10 finger touch type on a keyboard. They said that as soon as you have entered seven, eight, nine characters onto a keyboard, we can with a pretty good probability tell you if it is a man or a woman typing on the keyboard. That is again assuming typing normally with 10 fingers touch type on a keyboard.

Cindy Ng: What is the accuracy rate of the gender identification?

Per Thorsheim: The accuracy that they talked about is they would say that with seven, eight, nine keystrokes, they would have a certainty on this in the area of 70% or more. So, of course, it's not that good, but it's improving. And the more you type if you go up to 10, 12, 15 characters, they would have even more data to figure out whether you're a male or female. But that's just figuring out male or female. It doesn't identify you as a unique human being on planet earth. Because in that setting, this technology is nowhere near good enough. There are lots of people that would actually type just like you on a keyboard, in the world.

Cindy Ng: What's the probability of you typing in the same way as other people in our population?

Per Thorsheim: If you have an iPhone and you're using Touch ID with your iPhone or maybe an iPad today, the fingerprint reader that is being used by Apple today, they usually say that those devices have what we call a false acceptance rate or false rejection rate of 1 in 50,000. Meaning that 1 in 50,000 attempts, where you try to identify to your own phone will fail even if you're using the correct finger. The other way around 1 in 50,000 people, it means that person among 50,001 will have a fingerprint that will be accepted as you. But it's not you getting in.

So false acceptance rate, 1 to 50,000. With the keystroke dynamics, the last time I heard was 1 in 100. So they're saying that if you're in a room with 200 people, there will be 1, maybe even 2 people in there that would be able to type on the keyboard almost the same way as you do. Then they would be able to be identified as being Cindy, but it's not. It's them typing on a keyboard.

Cindy Ng: What's the potential abuse when we're using keystroke dynamics?

Per Thorsheim: The frustration is from the privacy perspective of this. A very simple example that I have been using, which is maybe chauvinistic as well as being male is, say that you go to an online store and you want to purchase a vacuum cleaner and you have never been there before. You don't have an account, nothing. In the search field, you type in vacuum cleaner. Based on that and nothing else, you have already given them so many keystrokes that they can identify whether you are male or female.

So if you are male or when they assume you are male based on how you type, they will give you the 3000 watts, black, shiny, Porsche model vacuum cleaner which is big and makes a lot of noise and it can run by itself. If they identify you as being female, maybe they think that you prefer the low noise, nice colored, red colored vacuum cleaner that doesn't take up a lot of space when it's not being used. That's a very simple example.

But from a privacy perspective, this can be used for tracking you across multiple route source. They can identify you as a returning customer. They can also use it to check if you are, say, allowing your kids or your husband or your girlfriend to log in to your accounts. They can be able to use that for fraud detection to say that this is the wrong person logging in. That can be a good feature to have. It can also be abused in ways that will affect your privacy or your right to privacy.

Cindy Ng: All the different types of authentication: passwords, hardware, biometrics. It all culminates to behavioral profiling, which is a hallmark worry for many. You and another security expert, Paul Moore, created Keyboard Privacy. It's supposed to disrupt your keystroke tracking gait from 82% to 3%. I read this in an article. Can you tell us a little bit more about Keyboard Privacy?

Per Thorsheim: We learned about this keystroke dynamics being used with several banks here in Norway, where I live. We learned about this because we received information from people who told us that, "Did you actually know the banks are using keystroke dynamics?" We said, "No." We didn't know that. But we figured out that it is being used. We looked at the source code of web pages where we log in and we saw that they're actually using keystroke dynamics. They are using keystroke dynamics as a sort of fraud prevention. They want to make sure that the correct person is logging into their own account and not somebody else. That's a good purpose.

What we reacted to was the fact that they didn't tell us, that they had suddenly started to build these biometric profiles, the keystroke dynamics profile of every single user that are using online banking here in Norway. Also, a couple of banks in the UK as well are doing this. So we had an evening, me and Paul, and we were talking to each other and like privacy counsels, blah blah blah, security usability, blah blah blah. But they just wanna say, just for the fun of it. How can we break this? How can we prevent them from being able to recognize if it is me or Paul or anybody else logging into my accounts?

Say, we would like to do that, prevent app tracking to be able to identify us as being male or female. So we looked at the code and we realized, well, they are looking at a very low number of parameters, two, three, four, different parameters. One of them being the amount of time between each key press and another parameter is being, how long will you keep each key depressed on your keyboard? The plug-in that Paul created based on my idea was that the plug-in for Google Chrome will take all your keystrokes from your keyboard. And before they enter any form on that page you're visiting, we will put in a random time delay between each keystroke, and that random time delay will be anything from zero milliseconds to 50 milliseconds.

To the human eye, even if you type really fast, that delay is so small that you won't be able to notice on screen. But for anyone using keystroke dynamics, this will completely destroy their capability of building a profile on how you type, and it will also destroy their ability to detect whether it is you or anyone else logging into a specific account.

Cindy Ng: There is warning before you install it. It says it can read and change all your data on websites you visit. I was wondering if you can expand on that warning. Do you store the data that you're changing?

Per Thorsheim: For those who are interested in programming and can read a code, you can read a code for this plug-in and it's pretty simple and short code. The only thing we do is to insert this random time delay between different websites. We also have an option to turn it off for specific websites. If you use that option, of course, that information will be stored locally on your computer. Say that for bank X or website Y, we have stored information on your computer saying that the plug-in shouldn't be used for this website. You want to be yourself, so to speak.

The thing is that with these plug-ins is that since the plug-in is receiving whatever you type on your keyboard and does something to that data before putting it into a website, it wouldn't be fully possible for us, just like anybody else developing plug-ins, to record everything you type on your keyboard ,and as an example, send it off to us or to your favorite three-letter agency country in the world.

Cindy Ng: With your password conference, that's really interesting. It's the one and only conference on passwords. Tell us a little bit more about that.

Per Thorsheim: I'm the founder of and running PasswordsCon, which is the world's first and as far as I know only conference in the world which is only about passwords and digital authentication. It's a conference that I started in 2010, by support from the University of Bergen in Norway where I live. So it's two and a half days with geeky people from all over the world, academics and security professionals and password hackers if you like, that are discussing how to break passwords, how to secure them, how to transmit them, how to store them, how not to store them of course, all kinds of science and real world experience into handling passwords from every imaginable perspective.

I can tell you this, I know. You don't have to say this. I know that it sounds very nerdy and a lot of people do ask me like, why this insane interest in passwords. But I can also tell you that I think that almost everyone that has ever participated for the first time at this conference, when I ask them afterward, so the obvious question, "What did you think of the conference?" I think that almost everyone has responded by saying that, "Wow! I had never thought that such a topic like passwords, which I consider to be such an insignificant and very small part of my everyday life and security, can actually be expounded into so many topics like statistics, cryptography, linguistics, math, psychology, colors, adherence, sounds, and everything."

So people have been really, really fascinated when they have participated in this conference. Also, lots of people have gained new ideas from research and also for taking back to their your own organizations to implement.

Cindy Ng: I think what people are saying now is that security and technology, it's becoming so seamless. That it's kind of almost like a utility, where you just plug and play which has its own problems with Mirai botnet attack.

Per Thorsheim: Yeah.

Cindy Ng: With the default password problems. So I would equate passwords with electricity and as a huge important utility for people to understand, to synthesize, to work together, to figure it out. We often tend to innovate and create as fast as possible without security and privacy from the start. So it's a great thing for everyone. So I applaud you for doing that.

Per Thorsheim: Yeah. Thank you. I am concerned about the internet of things as we say and the Mirai botnet really showed us. It really gave us not one, several lessons on security or insecurity of internet of things and all kinds of connected devices. It's interesting to see that the major attack vector who was that there were security cameras, DVRs, all kinds of equipment that was collected to the internet and they were running with default usernames and passwords and they were available online. So just by doing an internet-wide scan, you will find hundreds of thousands of such devices are collected and you can easily break into and use them for illegal purposes. Which we saw with the Mirai botnet.

Cindy Ng: Often times people set the password as default, thinking that the user will go back and change it. But that's not the case. It's also a good segue to hear from a password expert, a security adviser. What are your password secrets, that you can...?

Per Thorsheim: I will draw a line between whether you are tech savvy and using computers. Or if you're like my own mother, who doesn't take an interest at all. I have to draw a line there. First of all, if you're like my own mother and you're not really interested in learning how to use computers and most technology, you're just one of those that you just want it to work. The best advice I can give you is to write down your passwords on a piece of paper or in a small notebook and keep it in your kitchen drawer or somewhere at home, where it is reasonably safe. In that, you will put down the passwords or the pass phrases that you use for different sites and services on the internet.

Most of those passwords, you don't have to remember them. You don't need to use them every day. An important part is that... And I'm sorry to say this. But you have to try to use unique passwords for different services that you're using online. Because we know that bad guys, as soon as they're able to get access to your password and you're using them from one site to one service, they will try very quickly to use the same username and password across other services to gain access to more accounts, more money, more information, more data that they can use and abuse about you, sell to spammers and the like online. So write down and use unique passwords. That's advice for my mother.

If you're a tech savvy, if you have used and using computers, I highly recommend using a piece of software called a Password Manager. There are many out there, some of them are not as good either from security or usability perspectives. But there are some that are really good for both. Some of them are even free and I highly recommend using them. They will generate passwords for you. They will remember them for you. They will automatically input them into the username and password fields and help you log in. And the only password you really have to remember is the master password for your password manager. That's the one password you can never forget.

Cindy Ng: What if your password manager has a breach? Do you have another layer of security just in case that happens?

Per Thorsheim: There are different password managers of that. Some of them will store your data in a cloud service like LastPass. While other password managers like 1Password will only store your data locally. So the only way it can be breached would be if somebody got access to your physical computer or phone. If that happens, you have a more serious problem than just a password manager and there could be accounts stored in there.

The cloud services and the password managers that are used in cloud services, they are also encrypting all your data locally. Then the encrypted data are being transferred to the cloud service. So if the cloud service and the password manager service is being compromised, the attackers will only get access to encrypted data, and they don't have access to the keys stored on your computer or on your phone to be able to unlock those data. So those are actually very safe to use.

Cindy Ng: It sounds like hidden message too is doing a risk analysis on yourself. Guide us…

Per Thorsheim: Yeah.

Cindy Ng: What is your recommendations for that?

Per Thorsheim: The risk analysis is from an incredibly simple perspective, I'm asking people to write down all this stuff. Who do you think your enemies are? And in most cases the national security agency of the U.S. or the FSB and D of Russia, they're not your enemies. They have no interest in your life or your data whatsoever. If you're just a normal citizen, just like most of us are. If you're a five-star general in the army, or if you're working in intelligence service of some country asking something, Then obviously other nation states have an interest in getting access to your data and whatever you do and find out, and then the risk perspective is very different. But in most cases, the biggest risk for you as a normal citizen in most countries will be yourself losing your passwords or random computer viruses that are not targeted on you, will get access to your Facebook account or your bank account and steal your money.

So the risk analysis is simple. Do the list of who are your enemies and also try to look at for each of these different enemies that you might have, what are the possibility of them actually being able to get access to your data, your usernames, and passwords? If you have them on paper at home, they would have to come to wherever you live and break into your house. The probability of that happening is close to none. Nobody would be interested in going to Norway and break into my apartment, as an example.

Cindy Ng: Who or what would be the enemy of an organization of businesses?

Per Thorsheim: First of all I would say competitors of course. Competitors could be interested in trying to gain access to sensitive information that you have about new and upcoming products being researched and developed currently in your company. You also have to think about the opportunistic hacker, that just wants to make money in some way or another. It could be by giving you a crypt log or a virus that will encrypt the data files that you have on your computer. They don't care about what kind of data gets encrypted and then the bad guys will say, "Hey. This is ransomware," as we call it. "So you have to pay us a certain amount of money for us to give you the password needed to be able to decrypt your files again."

That's a very realistic threat to organizations and companies today, that you need to look into as well. So competitors and random bad guys, just trying to make some quick money. Those are I would say the most important threats to an organization today.

Cindy Ng: Thank you so much, Per.

Want to join us live? Save a seat here: https://www.varonis.com/state-of-cybercrime

More from Varonis ⬇️ 

Visit our website: https://www.varonis.com

LinkedIn: https://www.linkedin.com/company/varonis

X/Twitter: https://twitter.com/varonis

Instagram: https://www.instagram.com/varonislife/