Hey security people: How much consideration is given to cameras capturing people's hands as they type passwords on their laptop?

@AlSweigart People have their accounts compromised every second. What percentage of those compromises are tied to video surveillance of keyboard activity vs, say, weak password reuse and no MFA?

@AlSweigart I naturally assume this is happening. I also double mute myself on calls if I need to type a password.

@boblord @AlSweigart it's not academic level research, but given the number of re-used passwords we saw at Twitter (thanks to work from Troy Hunt and others), I'd say it's at least 1M:1 ratio for reuse and weak. Maybe higher.

@petrillic @AlSweigart Yup! People worry about all manner of attack vectors, basically anything and everything other than the basics. If people focus on the basics, they will avoid the most common compromises.
https://www.hacklore.org/letter

@AlSweigart In the sense of "could that be done?" or "is it a likely enough threat to be worth including in threat models?". First is yes, second is no (for most contexts), as there are easier ways to acquire a static password and the most effective mitigations (like 2FA) assume the fixed password *will* be compromised, so closing off *specific* compromise techniques rapidly hits diminishing returns as they get more esoteric. That said, I'd still avoid having my keyboard in view in a video call.

@ancoghlan @AlSweigart
@boblord @petrillic

In 2026, the problem is "people typing passwords' and the threat model should flag that they're not using passkeys/password managers as the problem. The precise form of info disclosure is probably a distraction.

(This is prompted by a slight disagreement with Alyssa's threat model comment.)

@adamshostack @AlSweigart @boblord @petrillic I think we may mostly be in agreement, since passkeys & password managers avoid *any* data entry compromise, whether that's direct observation, video recording, key logging. You're right that my framing was dubious though, as that view means the concern *is* in the threat models, it's just lumped in with the broader data entry category.

@ancoghlan @AlSweigart @boblord @petrillic I think we are mostly in agreement, I think it should be in threat models, but not for the reason Al was discussing, which means I agree with what you said.

(I spend a lot of time wondering what methodology brings versus what expertise brings and how to expand the first.)