Shoulder Surfing Blues

Block Shoulder Surfing From Snooping Eyes

hacks Jan 5, 2022

💡
Shoulder Surfing: noun - the use of direct observation, such as looking over someone's shoulder at an ATM, in order to obtain information

The Dilemma

you are sitting at your computer and someone asks you check a website or log into an application. You open the login screen and expect the person to look away... they don't. At this point you are faced with two options

  1. Enter in your login credentials in plain view.
  2. Politely ask said person(s) to look away.

What should we do in this situation?

Who Cares?

Option one is, and should be, out of the question. It goes without saying that entering your credentials in plain view is not a good idea and you should never do this. Additionally, on the few occasions I have done this, I always felt uncomfortable and mistyped my password. This meant, I would have to type in my password again. This gives the person yet another chance to steal my credentials.

Polite But Firm

Option two is security-wise the best option. This is by far the best option and there is nothing wrong with asking someone to look away. Be polite and remain firm. When the person is not looking, enter your credentials. Common sense right? However, how do you know that the person is still looking away if you are focused on entering in your password? This is not a problem for me as I am a touch typist. It is easy for me to not look down while using the keyboard. While that is good for me, this is unfortunately not the case for many people.

Good news, there is a third option. It is a hybrid of the two options mentioned above.

Password Entry Obfuscation

This technique involves simple obfuscation while typing your password. It is not 100% bulletproof but adds an additional layer of security. I would only use this technique if the person in question was someone I know. For example: a colleague or aquaintance. In other words, someone who is not a complete stranger. The scenario could play out this way:

The person is standing over your shoulder and can see your fingers and keyboard in clear view. You enter in your user name and tab over the the password section. You begin typing a very long passphrase which is not your password. For example a line from a poem, a song lyric, a book title or even random gibberish. At some point you press the key combinations:

CTRL+Backspace

In linux this is interpreted as - "delete line" and will be exactly that - it will delete the line. I cannot confirm this, but I think it also works in Windows and Mac. Please leave a comment if the combination is different. If you are using bash in a console and a password is requested, follow the same procedure, except use:

CTRL+u

Afterwards, you can begin typing your actual password and submit your credentials. Ideally the process can be repeated a few times before entering your real password.

noneofyourbusiness

You might be thinking:

"Yeah, that's great and all, but the person can still see that you deleted the password from the password field".

This is true. However, if the goal is to steal your password, your adversary is going to be focused on your fingers and not the screen.

"Okay, but what if the your adversary uses a camera"

This technique can also be used to confuse someone shoulder surfing with a camera. It is not fool proof and with enough observation, an adversary can still extract your real password. However, it just might buy you enough time to reset your password if you feel it has been compromised. As I mentioned, this should not be the only method you use. "Security through obscurity" as your only defense mechanism is not advisable.

At the end of the day, you should not enter many passwords by hand. The only password you should commit to memory should be your master password for your password manager. For the best password hygene, use a good password manager like KeePassXC.

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.