Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry

Thermanator is a post factum thermal imaging attack that allows an adversary recover full password key sets up to 30 seconds and partial password key sets up to 1 minute after password entry. The attack uses a mid-range thermal imaging camera.

Full paper available on arxiv.

An example thermal timelapse is given below. More information about the project and media coverage can be found on the project website:

Thermal Timelapse

Password “passw0rd” thermal residue 0, 15,
30, 45 and 60 seconds after entry, left to right.

A Password Extractor Framework for Thermal Images

The password extractor framework uses image processing with Python and OpenCV to recover passwords given thermal images. It is open source at (under development).

Attached images are from the 4-step thermal image password recovery process:

  1. Detection of key regions on the thermal image,
  2. Key labeling,
  3. Detection of residues,
  4. Password recovery and password guessing.


BFTKV is a Byzantine Fault-Tolerant distributed Key-Value storage that leverages GPG’s Web of Trust mechanism to build trust and b-masking quorums to provide fault tolerance.

I worked on BFTKV  during my internship at 256-256-2e98fdedcf402e199ae595ad4bb0a06b-yahoo. The project is open-source at .

A few gifs on how this storage works (more details in the design document):




%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close