AI can steal passwords

[Alwyn]

In today’s (Lo don) Times is an article that suggests that AI could pick up passwords by listening to what is typed in on the keyboard.

Although this strengthens tha argument for saving your passwords in System Settings whenever the device is shut down the password to open it has to be typed in..

Has Apple done away with this requirement on its latest devices?

 

[Raz0rEdge]

No-one is going to react to the various factions around what AI could and couldn't do. There have been password cracking methodologies that have existed for a long time before AI came into the picture.

So let's pause for a moment, and think about what an AI learning your password means. So an AI, running where I'm not sure, listens to your keyboard typing and figures out your password. OK. Then what? It transmits that information to the dark web for people to sell and then someone buys it and figures out how to get your physical machine to type it to get access to it?

I think people's imagination is running wild around generative AI right now.

For a long time, we were in the space of ML (Machine Learning) where you fed a computer a lot of data to ingest which allowed it to create categories and groupings and based on that info the computer could predict what an appropriate answer was with some level of specificity. That is, if you fed a computer a lot of medical journals with symptoms and diagnosis', it could get to a point of being able to predict the disease based on symptoms with growing levels of accuracy.

With generative AI, you give access to a lot of data, but you don't control the consumption/analysis of that data and the computer now begins to answer questions based on the "knowledge" it has acquired. But more importantly, it starts to modify this "knowledge" based on how accurate you say it is or not.

This now causes people to think that generative AI is "thinking" and will somehow rule the world. While, that might happen down the line, we are far from it.

 

[Rod]

It is still necessary to login manually initially on startup of a Mac but it is my understanding that nothing is running at that time except the base system. After that login can be performed with an Apple Watch or finger print.
I understand an AI needs to "hear" the keys being pressed so permission to use the microphone would also need to be granted to that program in settings.
As well as monitoring Safari website permissions I run a utility called OverSight by Objective-See which tells me any time an app/website tries to access my mic or camera. From the dialogue box I can refuse/allow access.
I also use a password manager to fill all of my web and app passwords and my fingerprint to open my password manager so Apple's addition of biometrics has helped.

 

[pm-r]

In today’s (Lo don) Times is an article that suggests that AI could pick up passwords by listening to what is typed in on the keyboard.

That sounds more like an article that the old News of The World newspaper rag would have run.

Is the London Times really stooping to that level of journalism these days???




- Patrick
=======

 

[krs]

Is the London Times really stooping to that level of journalism these days?

Anything to increase sales.

But in any case - I'm Safe with my Mac Mini - no microphone, ha, ha

 

[pm-r]

Has Apple done away with this requirement on its latest devices?

For those who want to try a Developers exploit you can try doing a test from here:

Go to Gerganov’s website to Try it yourself,

The site can track mechanical keyboard typing just by listening

Need another reason to skip upgrading to a clackety mechanical keyboard, Along with a little sympathy for your co-workers who undoubtedly Suffering from

www.oe-mag.co.uk

And here:
Keytap3: check if your keyboard can be eavesdropped through a microphone

The site can track mechanical keyboard typing just by listening

Need another reason to skip upgrading to a clackety mechanical keyboard, Along with a little sympathy for your co-workers who undoubtedly Suffering from

www.oe-mag.co.uk

It seems as if this keyboard listening thing has been around for several years now according to a Google search.

I have my doubts how or even if it would work with my wired USB connected Apple keyboard.




- Patrick
=======

 

[IWT]

I think people's imagination is running wild around generative AI right now.

Hear! Hear!

Ian

 

[Rod]

Just for anyone interested in OverSight, it's donationware and available from the developer here along with earlier versions and instructions for use; Objective-See: KextViewr

 

[rickeyF3]

You're correct that on startup, only the base system is running, which limits the potential for malicious software to access your sensitive data, including passwords. Additionally, technologies like Touch ID, Face ID, and Apple Watch authentication can provide convenient yet secure ways to access your device and applications.

Using a utility like OverSight to monitor and control access to your microphone and camera is a proactive step to prevent unauthorized access to these hardware components. It's always a good idea to be cautious and grant access only to trusted applications.

Password managers are indeed valuable tools for securely storing and autofilling your passwords, reducing the risk of keyloggers or other password interception methods. Combining this with biometric authentication adds an extra layer of security, as you mentioned.

 

[IWT]

@rickeyF3

A warm welcome to Mac-Forums. Thank you for your comments.

Hope we will see more of you in the future. We are all here to assist.

Ian

 

[rickeyF3]

@rickeyF3

A warm welcome to Mac-Forums. Thank you for your comments.

Hope we will see more of you in the future. We are all here to assist.

Ian

Ok, thanks, I'm happy to help)

 

[Rod]

I think these days the challenge is deciding on the best combination of security measures to take and which ones to choose.

Apple now offers a much more accessible interface to Keychain to create, sync, save, evaluate and fill passwords. Coupled with biometrics, "trusted" devices and 2FA it's a pretty good system.
If I was just starting out today I think I would confine myself exclusively to the Apple "system" after all it's native and free, but, of course I'm not. Some might say, isn't that putting all your eggs in one basket and there is some truth in that.
Like many "early adopters" I saw the personal need for better password management years ago. Many of us on this forum, like me, will have third party password managers already.

Authenticators like the ubiquitous Google authenticator paired to a trusted device such as your mobile phone have been around for years but now there are an array of others while some institutions continue to use the outmoded SMS One Time Password system (like one of my banks).

VPN's are now an optional feature of most web browsers and the VPN I have been using for years, now offers an inbuilt password manager.

The point is, I at least, now have at least 5 different ways, or a combination of them, for verifying my identity depending on the service I need to access. OTP's delivered to my mobile phone, PIN numbers for ATM's and apps, user name and passwords for websites, passwords and generated PIN's via trusted devices for some accounts, random PIN's generated by algorithms in authenticators (and some password managers) plus dedicated "tokens" and biometrics.

No wonder many users are confused. Perhaps "Passkeys" will be the holy grail as promised which is a whole other topic. Read; What are passkeys? Everything you need to know about the death of passwords

 

[krs]

For critical sites like on-line banking, I like the TAN system used by European banks.Even if someone has your user ID and password, they cannot withdraw any funds.
2FA via a cellphone call or text is a problem in Canada because it's very easy to transfer a number without the original owner even knowing until tey try to make a call and get "No Service".
Better to get 2FA via a traditional landline.