Think of all we do to ensure that our authentication systems are not compromised. It really takes a fair amount of effort to extract someone’s password from a shadow file or to secretly install a keylogger.

A far simpler solution is to look over their shoulder while they type.* Take care when signing on in public places. The guy standing in line for a coffee may take an interest in your banking password. Admittedly, this kind of attack of opportunity may not happen often. However, this is an easy way to actively hunt prey.

The concern lies in more than just physically proximate attackers. Many public areas will also have security cameras. A good line of sight would reveal a string of credentials: local machine, webmail, banking, etc.

Some thieves are known to target victims at ATMs on the condition that they successfully observe the victim’s PIN. Similarly, a laptop theft is much more severe if the attacker can immediately access the system. This makes possible a number of attacks in which the victim is unaware.

For example, at the library Alice shoulder surfs Bob’s password. Bob locks his computer to the table and goes to the restroom. A couple minutes later, he returns to find his laptop in its original position apparently untouched. However, during that time Alice logged in and installed a backdoor. Bob would probably not find it until the damage had already been done.

As always, watch your back. In terms of information security, it is not unwarranted to assume that everyone, except a trusted few, is your enemy. And what do we know about turning our backs to our enemies?

A quick and easy mitigation is to type very quickly. Otherwise, moving both hands while typing can distract a casual shoulder surfer. As an added distraction, pad the beginning and end of each string i.e. type “in air” without actually depressing keys.

And lest I forget this most valuable piece of advice: CHANGE YOUR PASSWORDS OFTEN. The more sensitive your password, the more often you should change it. If you even suspect it’s been compromised, change it!

*Actually, it’s also possible to listen to the sequence of keystrokes and identify the keys pressed. There’s a paper on this, I’ll link it later.