|
|
Log in / Subscribe / Register

Password entry without keystroke timing

Password entry without keystroke timing

Posted Mar 13, 2026 15:37 UTC (Fri) by epa (subscriber, #39769)
Parent article: More timing side-channels for the page cache

For the text console, a program accepting a password can put the terminal into cooked mode and then receive the whole password string only once the user presses Enter. It wouldn't be woken up for each keystroke so, unless you can somehow snoop on the kernel-space tty code, an attacker couldn't observe the timing of keypresses. But there is no obvious equivalent of this for graphical environments.

to post comments

Password entry without keystroke timing

Posted Mar 13, 2026 15:38 UTC (Fri) by epa (subscriber, #39769) [Link]

...actually I am not sure you can have cooked mode without also echoing each keystroke?

Password entry without keystroke timing

Posted Mar 13, 2026 16:38 UTC (Fri) by runekock (subscriber, #50229) [Link] (1 responses)

The linked paper actually says that they are not able to reconstruct passwords: "reconstructing passwords, passphrases, and pseudorandom strings presents a very different and more difficult problem that will require new detection and reconstruction techniques".

Password entry without keystroke timing

Posted Mar 13, 2026 17:16 UTC (Fri) by daroc (editor, #160859) [Link]

... shoot. I focused on the evaluation criteria and missed that detail. Well, that's a bit heartening, although it probably only applies to non-"correct horse battery staple" kinds of passwords. I'll edit in a correction.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds