What is password hardening?

Keystroke dynamics is a behavioral biometric capable of determining user identity. More specifically, keystroke dynamics is the automated
method of identifying or confirming the identity of an individual based on typing rhythms.

Password hardening is an applied form of keystroke dynamics that uses typing patterns to protect your password even when the password is
known to an imposter. Password hardening can be applied on any computer that has a keyboard and does not require any additional hardware.

How does password hardening work?

For password hardening to work, a few samples of the reference user typing the password are collected. From these samples, features such
as digraphs are extracted from the raw timing data. Digraphs are the elapsed time between two consecutive key-presses. For example, the
word “the” has two digraphs which are “t+h” and “h+e”. Say the “t” key was pressed at time = 0 milliseconds, the “h” key was pressed at
time = 180 milliseconds, and the “e” key was pressed at time = 380 milliseconds. The “t+h” digraph has a duration of 180 milliseconds
and the “h+e” digraph has a duration of 200 milliseconds. The digraph features are extracted from the referene user keystrokes and stored
in a template profile.

When a user at a keyboard (not necessarily the authorized user) tries to input the password, digraphs are extracted from the keystrokes.
These digraphs are compared to the digraphs from the owner’s profile and the “distance” score is computed by quantifying the dissimilarity
of the digraph data. One of the simplest ways to compute a distance score is to find the difference between the typed digraphs and the average
of the profile. A score is computed for each digraph and these scores are added together. If the score is above a specified threshold the user
will be rejected because their typing patterns did not match the template. This threshold can be higher or lower depending on the application.
A low threshold reduces the likelihood an imposter will get in, but it also will increase the chances that the authorized user will be falsely
rejected. With a higher threshold, the chance of a false rejection is reduced, but the chance of an imposter gaining access is increased. Sometimes,
the most challenging aspect is finding the right threshold!

Give it a try!

The password to this system is “password” and I am the authorized user. The system is trained with my typing pattern. For each attempt to
enter the password, a distance score is calculated. The lower the score, the closer the typing dynamics are to my typing patterns.

In the demo below, if the distance score is greater than 7, the attempt is rejected; when I type “password”, the distance score is usually
less than 5.

Can you beat the system?

Enter “password” in the password field below.



Your distance score:

Knowledge Inventory (True or False)

  1. Keystroke dynamics are a behavioral biometric.
  2. The word “security” has 8 digraphs.
  3. Typing a password faster always results in a lower distance score.
  4. Password hardening requires a special keyboard.
  5. In the demo above, a higher distance score means you are closer to gaining access.
  1. True. Your typing behavior is used to verify your identity.
  2. False. The work “security” has 7 digraphs: “s+e”, “e+c”, “c+u”, “u+r”, “r+i”, “i+t”, “t+y”.
  3. False. The distance score is lower if the typing matches the speed of the template user.
  4. False. Password hardening will work with existing hardware.
  5. False. A higher score indicated that you are less similar to the authroized user.






Learn more about our research. }