Not to mention that this was first done years ago by some agency using sound recordings and good old analysis.

Years ago I got the (then) admin account password at work because one of the LAN admins typed with two pointer fingers and I just watched.

I was wondering how it would be able to tell what keyboard someone is using like I switch between Dvorak and Qwerty all the time ( I can only type properly in Dvorak though ).

Enter master password:

KeepassXC with a Yubikey. Always buy a backup Yubikey folks.

Rearranging the keys? My password’s pretty much muscle memory, typed fast enough in not really worried about people watching me enter it. Call me lazy, but having to pick and hit every key? No thanks.

Playing sounds? sure.

Rearranging keys - hell no.

Wouldn't that make it easier for the AI?

Or if you want to go further, have foamed + plate mount + mixed lubed and unlubed switch + different color of switch on top of mixed brands of cherry mx, kailh, gateron, outemu and or lesser known/premium switches on single keyboard, the cost may be unusually high and need custom printed pcb.

Maybe you'll need to get use to typing on it as now comprised of various tactility and feedback feel.

Doesn't matter that much if you cast your malware broadly enough, for example requesting mic access from a web page. A large percentage of keyboards (especially business laptops) will be covered just by Mac + Lenovo.

You can just solve the problem altogether by using a password manager with a 2fa dongle like a nitro or yubi key

I suspect it also uses timing between each key stroke to basically triangulate all possible combinations (this method would at least have to know the exact starting key to construct the password from this distance info, that is why I said all possible combinations)

The layout is less of an issue, as long as the program analyzing the sounds of your keyboard can diferentiate between all keys, then it can remap to QWERTZ, AZERTY or sny other layout.

However, this attack seems quite involved, so if you are targeted, the attacker could find out the layout in use ahead of time (here in Sweden you are unlikely to find a person using anything but a Swedish layout), they could also fo some social engineering, and hold a chat conversation with you while using your phone to record keystrokes, it would take a while, but over time they could probably get a decently accurate map of your keyboard.

Wouldn't it also be able to crack it in the future as long as it's accurate enough? As long as it's able to accurately recognise what key is which it can crack it like the enigma code.

Because all keys on a keyboard sound slightly different, computers can detect those differences, and compare it with a baseline from either the same keyboard or a model just like it.

Try this: on any keyboard (a membrane keyboard especially if you have one) try quickly tapping one key 3 times and then another key 3 times. Move around the keyboard or alternate between two letters.

Can you hear that they make different sounds, but typing the same letter has roughly the same sound? The" plok" has a higher or lower pitch (frequency is the scientific word for it), and a trained AI can match that pitch to a letter if it has or can get an idea of what corresponds to what.