Osirium Research Points Out Perils of Password Shoulder Surfing

Published: 20 April 2015

Tom Guyatt

By Tom Guyatt


Technological innovation moves at a relentless pace. It’s hard to believe sometimes that the original iPhone launched just eight years ago. Ditto, powerful digital single-lens reflex (DSLR) cameras have over the past few years become an affordable luxury for many people. But while applauding these advances, we have to remember that whatever we use can also be abused by cyber criminals.

With this in mind, we recently decided to test a selection of cameras to see which, if any, could increase the risk of office employees having their log-ins shoulder surfed without their knowledge.

The privileged user problem

At Osirium we spend a great deal of time promoting the message that passwords are dangerous. They can be cracked, hacked and guessed with relative ease by cyber criminals today. And admin passwords are increasingly in high demand. This is because targeting a member of the IT team direct will usually give a hacker a much better RoI for their attack. For a bit more up front effort, they get credentials which will give them access to the data they want without needing to spend time and effort escalating privileges. Plus, they stand a much better chance of getting in and out undiscovered.

That’s why we provide security-conscious organisations with privileged user management and privileged session management, as well as privileged task automation and privileged user analytics. The premise behind Osirium technology is that an employee never has to remember or enter a password, because the whole process is automated by us and hidden from the user.

But unfortunately, many UK employees are still saddled with insecure password-based log-in systems. They are advised to think of strong passwords – combinations of numbers, letters, symbols etc – and not to reuse credentials across accounts. But what about the old-fashioned dangers of shoulder surfing? We guard our debit card PINs at the ATM, but are less cautious when entering our password on our laptop.

Surfing from a distance

We chose five different cameras – ranging from a £5.99 keyfob device to a high end Canon 5D3 with 300mm f2.8 lens – created a tricky password, and found an office which provided a distance of up to 25 metres from camera to victim. We then chose a Dell 15.4 inch 1920x1080 resolution laptop, entering the password into an Excel spreadsheet using a standard font, and an iPad 2, with the password displayed in an email.

The results should give IT managers plenty to think about. Although the lower-end devices we used needed to be positioned pretty close to the victim, we found the iPhone functioned as an effective, stealthy shoulder-surfing tool. The compact camera also fared well, while the DSLR model we tried could even be used by a cyber criminal sat in a different building altogether to spot and steal passwords as they are typed in by staff.

Our findings should be yet another wake-up call; firstly to users to always be on your guard when entering log-in credentials. But also for IT buyers to consider new authentication technology like Osirium’s privileged user management, which does away with passwords altogether to safeguard your most important accounts.

Click here to view our findings and to read more: - https://www.osirium.com/shoulder-surfing

Release Date: 
Monday, 20 April 2015
Article Type: 
Blog Post
Author: 
Tom Guyatt