Intuitively, auto-correcting passwords would seem to be a terrible idea, and the worst security-for-convenience tradeoff in technology history.
But a team of academics from Cornell University, MIT and a Dropbox security engineer say that the degradation of security from the introduction of such an authentication mechanism is negligible.
The team—Rahul Chatterjee, Ari Juels and Thomas Ristenpart of Cornell University, Anish Athalye of MIT, and Devdatta Akhawe of Dropbox—presented their findings in a paper called “pASSWORD tYPOS and How to Correct Them Securely” at the recent IEEE Symposium on Security and Privacy. The paper describes a framework for what the team calls typo-tolerant passwords that significantly enhances usability without compromising security.
The paper focuses on three common types of password errors that users make while typing: engaging caps lock; inadvertently capitalizing the first letter of a password; or adding or omitting characters to the beginning or end of a password.
By instituting an autocorrect scheme, the researchers said in their paper that they could reduce common mistakes and user frustrations with logins.
“Our experiments reveal that almost 10 percent of login attempts fail due to a handful of simple, easily correctable typos, such as capitalization errors,” the researchers wrote. “We show that correcting just a few of these typos would reduce login delays for a significant fraction of users as well as enable an additional 3 percent of users to achieve successful login.”
Facebook already has such scheme in place where it corrects capitalization errors on password submissions. This measure is what sparked the researchers’ interest, Ristenpart told Threatpost.
“The consensus at the time was that this was bad for security, and that was certainly our sense, that it would cause problems,” Ristenpart said. “But if you’re careful about the types of typos you’re correcting, you won’t degrade security.”
The researchers’ experiments were carried out on Dropbox’s login infrastructure (no passwords were recorded, nor was authentication policy changed) where common typos were recorded over a 24-hour period, and then again with typos corrected. The results show marked improvement in the login experience by correcting just the top three common typos.
Further, the researchers developed two password checkers: typo-tolerant password checkers and within those, a class called relaxed checkers.
“Relaxed checkers are systems that start with an existing exact system (e.g., comparing salted bcrypt hashes or using an encrypted password onion). The system is ‘relaxed’ through a modification that additionally searches a small space of corrections to the submitted password,” the researchers wrote. “This search allows easy deployment of typo-tolerance, while ensuring that security in the face of server compromise is as in the exact checking case (since stored values remain unchanged). Thus we focus on analyzing online guessing attacks that seek to maximize their probability of success by exploiting the extra typo checks.”
Ristenpart said the only advantage to a hacker in a brute-force attack, for example, would be if many of the passwords checked are high-probability passwords to begin with.
“[Lousy] passwords are less likely to be typo-d because they’re simpler,” Ristenpart said.
Ristenpart said that he’d like to see future enhancements to the framework include corrections for transposition errors, which would help alleviate frustrations encountered when entering long, complicated passwords.
“We’d like to apply this to a broader class of errors and correct them,” he said.