Is it possible to improve brute-force guessing of a password with a picture of the keyboard used to enter it?

In some cases yes, you can guess the most frequently used keys by the wear marks. That's how I know that apparently I use the L, M, N, A and E keys a lot - the keys are now just black, the letter is faded.

And one special key being significantly more used than the others - unless it's "{", "}" or ";" and you happen to be a programmer - could allow to include that in a bruteforcing, or exclude others (this is definitely NOT my keyboard, but still):

dirty keyboard - not mine!

But most people don't use the keyboard for just their passwords, and the wear pattern is also influenced by the stroke direction, angle and pressure - keys farther down the keyboard will be pressed differently from those nearer. The keys I wear faster appear to be exactly under the hand that controls them, and now that I noticed, I hit them harder than the rest (OK, also I'm a horrible typist).

The keyboard might hint (weakly, at that) at what the most frequent typed word, or anagrams thereof, might be. But that's not the same as your password except in very specific cases (e.g. an entry keypad).

In even more specific cases such as heat-conducting entry keypad, FIR or strong UV picture taken immediately after typing so that residual heat or fluorescence or phase interference from skin oils may be appreciated, you might be able to get something. But an ordinary picture conveys no such information.

So my opinion would be that keyboard pictures are mostly harmless.

On the other hand, I sometimes see Post-It with letters and numbers on them attached to monitors and on woodboards behind selfied people, so I'd also say that it's always a very good idea to review the photos (as well as whatever else) you post to the social media, looking at the goods with an attacker's eye:

  • inside view of (broken/defective/jimmied?) locks and/or brand names useful to research approaches
  • hints about location (this might be relevant to determine whether you're holidaying abroad, and estimate how long your home will be vacant)
  • valuable items (might give people ideas either about them, or about your wealth, which also could give people ideas)
  • discrepancies between what's shown and what you told anybody who might get to know, such as employer, insurance company, significant other(s), etc.

At least once, some months after this answer was posted, the last case actually happened.


There are two different scenarios. This would be a valid question if the keyboard is used only for password typing. A numeric keypad on a door, that's something you shouldn’t post on social media. But you can argue this by saying that there are special characters on your keyboard which may be included in your credentials, because normally we don’t use those characters much in day-to-day work. So you better have a look at your keyboard before you post pics on social media :)


Only if the sole purpose of the keyboard is to type one password.

Otherwise, you'll find that more frequently used keys such as vowels, WASD, and modifiers will also have oil stains and signs of wear. It becomes especially more difficult if the password is a passphrase containing natural language.

Tags:

Dictionary

Passwords

Brute Force

Physical

Social Engineering

Related

How to specifiy -CAPath using OpenSSL in windows to perform TLS handshake Why are generated access tokens for APIs much longer than passwords? How to tell if a webapp transmits my password in cleartext? Is it acceptable practice to only increment a number when changing a password? Ways to protect phone from hacking through a wifi network when travelling Can we trust the information displayed by the linux utility commands for a vulnerable machine? Discouraging users from copying images off a website? How to store the access token / password reset token in the database? Does correcting misspelled usernames create a security risk? If I accept a certificate in order to use my company’s Wi-Fi, am I vulnerable to MITM attacks? Is XSS possible when < is not escaped, but also removed if followed by a character? Is it okay for our IT support contractor to remote in without authorization?

Recent Posts