It is common for computer systems to include an authentication interface such as a log-on or lock screen that must be successfully passed in order to access some or all functions of the computer system.
This is particularly the case with mobile devices such as smartphones and tablet devices that can be easily lost or stolen and hold valuable data such as emails, address books (and in the case of current smartphones far, far more). It is also important to have a lock or log-on interface for publicly accessible systems such as cashpoints.
One exploit known to be used in lock or log-on screen base security systems is known as “shoulder surfing”. Someone standing behind a user looks over their shoulder and observes the password sequence entered into the keyboard/keypad. In the case of smartphones, bankcards and the like, the device is then pickpocketed or otherwise stolen and can then be used in combination with the captured password.
Passwords usually consist of a sequence of alphanumeric characters, and protect a system by restricting access unless a user enters the correct characters in the correct order. Stronger passwords tend to be those that least resemble known words or derivatives of known words (such as random or pseudo-random passwords), as these can be guessed, or automatically generated by a dictionary attack. Another factor determining strength is referred to as the password space, which is a measure of the total number of combinations of the characters an attacker would be required to try. Password space is a function of password length, and the number of allowable characters (upper case, lower case, numerics . . . ).
Generally, the longer the password, the less likely it can be guessed or hacked by brute force computational techniques. However, the longer the password, the more likely a user will have to write it down, be unhappy about using the system or look at ways of circumventing it.
Password systems typically work by computing a password hash from a password, using a standard cryptographic function such as a 256 bit standard hashing algorithm (SHA 256).
The input to the password hash is typically an hexadecimal value (ASCII value) that acts as a code for the selected character. Once the codes are hashed, the resultant hash value can be used to protect a system, by for example forming part of an encryption key.
Good password systems ensure that hashes cannot be generated too rapidly, in order maximise the amount of time an automated password attack will on average require.
The alpha-numeric nature of passwords stems from the availability of input devices. As will be appreciated, almost all computing devices have keyboards of some description. Therefore, password systems exploit this common feature and expect passwords to be selected that can be entered by the keyboard.
Touchscreen based interfaces are the now standard in most smartphones and tablet devices. They are also attractive for other publicly accessible systems in place of keyboard or keypad based user interfaces. Touchscreen interfaces are flexible as different interfaces can be displayed by the touchscreen display as needed, can be made more weather resistant than a keyboard or keypad and as they have no moving parts do not suffer from mechanical wear and tear that can be a problem in a heavily used system.
However, touchscreen based interfaces present different challenges to keyboards or keypads, particularly from a security perspective.
With regard to password protection systems, regular password schemes can be enforced as touchscreen devices can emulate physical keyboards by displaying a virtual keyboard on screen. Non-character based password systems have been considered for touchscreen devices. For example, the Google Android® smartphone operating system allows a user to set a password based on a pattern that the user must draw on the device's touch screen in order to unlock the device.
One particular issue with either type of password system is that touch screens is that their semi-reflective nature is very effective in highlighting the oils and other dirt left by the touch of a user. This means that frequently used keys or key patterns are highlighted.
This can mean that user inputs such as keys or patterns selected leave behind an on-screen highlight from oils or marks from the user's fingers. While some users clean away grease marks and the like from their devices, others do not. Furthermore, in the case of devices that include screen protectors, repeated entry of a pattern or key sequence can result in permanent marking of the screen protector, whether they are cleaned or not. As a result, repeated entry of a password or drawing of a password pattern on the touch screen over time builds up marks. These marks can be used by a thief to guess the password/pattern and thereby significantly reduce the security provided by a password or password pattern.