{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:31Z","timestamp":1777806091478,"version":"3.51.4"},"reference-count":35,"publisher":"SAGE Publications","issue":"4","license":[{"start":{"date-parts":[[2019,6,6]],"date-time":"2019-06-06T00:00:00Z","timestamp":1559779200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,7,18]]},"abstract":"<jats:p>This paper studies leakage of user passwords and PINs based on observations of typing feedback on screens or from projectors in the form of masked characters (\u2217 or \u2219) that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos ( PILOT ). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work (In European Symposium on Research in Computer Security ( 2018 ) 263\u2013280 Springer). In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper.<\/jats:p>","DOI":"10.3233\/jcs-191289","type":"journal-article","created":{"date-parts":[[2019,6,7]],"date-time":"2019-06-07T11:58:03Z","timestamp":1559908683000},"page":"405-425","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":8,"title":["<i>PILOT<\/i>\n                    : Password and PIN information leakage from obfuscated typing videos"],"prefix":"10.1177","volume":"27","author":[{"given":"Kiran","family":"Balagani","sequence":"first","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Matteo","family":"Cardaioli","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"},{"name":"GFT Italy, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mauro","family":"Conti","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Paolo","family":"Gasti","sequence":"additional","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Martin","family":"Georgiev","sequence":"additional","affiliation":[{"name":"University of California, Irvine, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tristan","family":"Gurtler","sequence":"additional","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniele","family":"Lain","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Charissa","family":"Miller","sequence":"additional","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kendall","family":"Molas","sequence":"additional","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nikita","family":"Samarin","sequence":"additional","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eugen","family":"Saraci","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gene","family":"Tsudik","sequence":"additional","affiliation":[{"name":"University of California, Irvine, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lynn","family":"Wu","sequence":"additional","affiliation":[{"name":"New York Institute of Technology, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2019,6,6]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"D.\u00a0Asonov and R.\u00a0Agrawal, Keyboard acoustic emanations, in: IEEE Symposium on Security and Privacy, 2004. Proceedings, IEEE, 2004, pp.\u00a03\u201311.","DOI":"10.1109\/SECPRI.2004.1301311"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"K.S.\u00a0Balagani, M.\u00a0Conti, P.\u00a0Gasti, M.\u00a0Georgiev, T.\u00a0Gurtler, D.\u00a0Lain, C.\u00a0Miller, K.\u00a0Molas, N.\u00a0Samarin, E.\u00a0Saraci, et al., Silk-tv: Secret information leakage from keystroke timing videos, in: European Symposium on Research in Computer Security, Springer, 2018, pp.\u00a0263\u2013280. doi:10.1007\/978-3-319-99073-6_13.","DOI":"10.1007\/978-3-319-99073-6_13"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"D.\u00a0Balzarotti, M.\u00a0Cova, G.\u00a0Vigna and Clearshot, Eavesdropping on keyboard input from video, in: 2008 IEEE Symposium on Security and Privacy (sp 2008), IEEE, 2008, pp.\u00a0170\u2013183. doi:10.1109\/SP.2008.28.","DOI":"10.1109\/SP.2008.28"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"R.\u00a0Banerjee, S.\u00a0Feng, J.S.\u00a0Kang and Y.\u00a0Choi, Keystroke patterns as prosody in digital writings: A case study with deceptive reviews and essays, in: Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), 2014, pp.\u00a01469\u20131473. doi:10.3115\/v1\/D14-1155.","DOI":"10.3115\/v1\/D14-1155"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"N.\u00a0Bartlow and B.\u00a0Cukic, Evaluating the reliability of credential hardening through keystroke dynamics, in: 2006 17th International Symposium on Software Reliability Engineering, IEEE, 2006, pp.\u00a0117\u2013126. doi:10.1109\/ISSRE.2006.25.","DOI":"10.1109\/ISSRE.2006.25"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"J.\u00a0Bonneau, S.\u00a0Preibusch and R.\u00a0De Andeson, A birthday present every eleven wallets? The security of customer-chosen banking pins, in: International Conference on Financial Cryptography and Data Security, Springer, 2012, pp.\u00a025\u201340. doi:10.1007\/978-3-642-32946-3_3.","DOI":"10.1007\/978-3-642-32946-3_3"},{"key":"ref007","unstructured":"M.\u00a0Burnett, Today i am releasing 10 million passwords, 2015, https:\/\/xato.net\/today-i-am-releasing-ten-million-passwords-b6278bbe7495."},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"A.\u00a0Compagno, M.\u00a0Conti, D.\u00a0Lain and G.\u00a0Tsudik, Don\u2019t skype & type!: Acoustic eavesdropping in voice-over-ip, in: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ACM, 2017, pp.\u00a0703\u2013715.","DOI":"10.1145\/3052973.3053005"},{"key":"ref009","doi-asserted-by":"publisher","DOI":"10.1016\/S0031-3203(00)00023-6"},{"key":"ref010","unstructured":"S.\u00a0Fiegerman, Yahoo says 500 million accounts stolen, 2017, http:\/\/money.cnn.com\/2016\/09\/22\/technology\/yahoo-data-breach\/index.html."},{"key":"ref011","unstructured":"FINECO: Le carte fineco (2019), https:\/\/help.finecobank.com\/it\/conto-e-carte\/le-carte-fineco.html#nuove-commissioni."},{"key":"ref012","doi-asserted-by":"crossref","unstructured":"D.\u00a0Florencio and C.\u00a0Herley, A large-scale study of web password habits, in: Proceedings of the 16th International Conference on World Wide Web, ACM, 2007, pp.\u00a0657\u2013666. doi:10.1145\/1242572.1242661.","DOI":"10.1145\/1242572.1242661"},{"key":"ref013","unstructured":"B.\u00a0Hitaj, P.\u00a0Gasti, G.\u00a0Ateniese and F.\u00a0Perez-Cruz, Passgan: A deep learning approach for password guessing, 2017, arXiv preprint arXiv:1709.00440."},{"key":"ref014","doi-asserted-by":"crossref","unstructured":"T.K.\u00a0Ho, Random decision forests, in: Proceedings of 3rd International Conference on Document Analysis and Recognition, Vol.\u00a01, IEEE, 1995, pp.\u00a0278\u2013282. doi:10.1109\/ICDAR.1995.598994.","DOI":"10.1109\/ICDAR.1995.598994"},{"key":"ref015","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2017.201"},{"key":"ref016","unstructured":"Linkedin password leak (2016), https:\/\/hashes.org\/leaks.php."},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"J.\u00a0Ma, W.\u00a0Yang, M.\u00a0Luo and N.\u00a0Li, A study of probabilistic password models, in: 2014 IEEE Symposium on Security and Privacy, IEEE, 2014, pp.\u00a0689\u2013704. doi:10.1109\/SP.2014.50.","DOI":"10.1109\/SP.2014.50"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"E.\u00a0Owusu, J.\u00a0Han, S.\u00a0Das, A.\u00a0Perrig and J.\u00a0Zhang, Accessory: Password inference using accelerometers on smartphones, in: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, ACM, 2012, p.\u00a09.","DOI":"10.1145\/2162081.2162095"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1145\/2184319.2184337"},{"key":"ref020","unstructured":"Rockyou password leak (2010), http:\/\/downloads.skullsecurity.org\/passwords\/rockyou.txt.bz2."},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2014.2348802"},{"key":"ref022","unstructured":"R.J.\u00a0Schalkoff, Artificial Neural Networks, Vol.\u00a01, McGraw-Hill, New York, 1997."},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"D.\u00a0Shukla, R.\u00a0Kumar, A.\u00a0Serwadda and V.V.\u00a0Phoha, Beware, your hands reveal your secrets! in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2014, pp.\u00a0904\u2013917.","DOI":"10.1145\/2660267.2660360"},{"key":"ref024","unstructured":"D.X.\u00a0Song, D.A.\u00a0Wagner and X.\u00a0Tian, Timing analysis of keystrokes and timing attacks on ssh, in: USENIX Security Symposium, Vol.\u00a02001, 2001."},{"key":"ref025","doi-asserted-by":"crossref","unstructured":"J.\u00a0Sun, X.\u00a0Jin, Y.\u00a0Chen, J.\u00a0Zhang, Y.\u00a0Zhang, R.\u00a0Zhang and Visible, Video-assisted keystroke inference from tablet backside motion, in: NDSS, 2016.","DOI":"10.14722\/ndss.2016.23060"},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"F.\u00a0Tari, A.\u00a0Ozok and S.H.\u00a0Holden, A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords, in: Proceedings of the Second Symposium on Usable Privacy and Security, ACM, 2006, pp.\u00a056\u201366. doi:10.1145\/1143120.1143128.","DOI":"10.1145\/1143120.1143128"},{"key":"ref027","unstructured":"The Password Project, 2017, http:\/\/thepasswordproject.com\/leaked_password_lists_and_dictionaries."},{"key":"ref028","unstructured":"C.\u00a0Tomasi and R.\u00a0Manduchi, Bilateral filtering for gray and color images, in: Iccv, Vol.\u00a098, 1998, p.\u00a02."},{"key":"ref029","doi-asserted-by":"crossref","unstructured":"E.\u00a0Vural, J.\u00a0Huang, D.\u00a0Hou and S.\u00a0Schuckers, Shared research dataset to support development of keystroke authentication, in: IEEE International Joint Conference on Biometrics, IEEE, 2014, pp.\u00a01\u20138.","DOI":"10.1109\/BTAS.2014.6996259"},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"C.\u00a0Wang, X.\u00a0Guo, Y.\u00a0Wang, Y.\u00a0Chen and B.\u00a0Liu, Friend or foe? Your wearable devices reveal your personal pin, in: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ACM, 2016, pp.\u00a0189\u2013200.","DOI":"10.1145\/2897845.2897847"},{"key":"ref031","doi-asserted-by":"crossref","unstructured":"C.\u00a0Wang, S.T.\u00a0Jan, H.\u00a0Hu, D.\u00a0Bossart and G.\u00a0Wang, The next domino to fall: Empirical analysis of user passwords across online services, in: Proceedings of the Eighth ACM Conference on Data and Apllication Security and Privacy, ACM, 2018, pp.\u00a0196\u2013203.","DOI":"10.1145\/3176258.3176332"},{"key":"ref032","doi-asserted-by":"crossref","unstructured":"M.\u00a0Weir, S.\u00a0Aggarwal, B.\u00a0De Medeiros and B.\u00a0Glodek, Password cracking using probabilistic context-free grammars, in: 2009 30th IEEE Symposium on Security and Privacy, IEEE, 2009, pp.\u00a0391\u2013405. doi:10.1109\/SP.2009.8.","DOI":"10.1109\/SP.2009.8"},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Xu, J.\u00a0Heinly, A.M.\u00a0White, F.\u00a0Monrose and J.M.\u00a0Frahm, Seeing double: Reconstructing obscured typed input from repeated compromising reflections, in: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ACM, 2013, pp.\u00a01063\u20131074.","DOI":"10.1145\/2508859.2516709"},{"key":"ref034","doi-asserted-by":"crossref","unstructured":"T.\u00a0Zhu, Q.\u00a0Ma, S.\u00a0Zhang and Y.\u00a0Liu, Context-free attacks using keyboard acoustic emanations, in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2014, pp.\u00a0453\u2013464.","DOI":"10.1145\/2660267.2660296"},{"key":"ref035","doi-asserted-by":"publisher","DOI":"10.1145\/1609956.1609959"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191289","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191289","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191289","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:19Z","timestamp":1777495519000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191289"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,6,6]]},"references-count":35,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2019,7,18]]}},"alternative-id":["10.3233\/JCS-191289"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191289","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,6,6]]}}}