ABSTRACT
Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms.
We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.
Supplemental Material
- Michel Abdalla, Mihir Bellare, and Gregory Neven. 2010. Robust encryption. Journal of Cryptology (2010), 1--44. Google ScholarDigital Library
- S. Antilla. 2015. Vanguard group fires whistle blower who told the street about flaws in customer security. (2015).Google Scholar
- Patrick Biernacki and Dan Waldorf. 1981. Snowball sampling: Problems and techniques of chain referral sampling. Sociological methods & research 10, 2 (1981), 141--163. Google ScholarCross Ref
- Alex Biryukov, D Dinu, and D Khovratovich. 2015. Argon and argon2: password hashing scheme. Technical Report. Technical report.Google Scholar
- Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security and Privacy (SP) . IEEE, 538--552. Google ScholarDigital Library
- Michael Buhrmester, Tracy Kwang, and Samuel D Gosling. 2011. Amazon's Mechanical Turk a new source of inexpensive, yet high-quality, data? Perspectives on psychological science 6, 1 (2011), 3--5. Google ScholarCross Ref
- Rahul Chatterjee, Anish Athalye, Devdatta Akhawe, Ari Juels, and Thomas Ristenpart. 2016. pASSWORD tYPOS and How to Correct Them Securely. IEEE Symposium on Security and Privacy (may 2016). Full version of the paper can be found at the authors' website.Google ScholarCross Ref
- Rahul Chatterjee, Joanne Woodage, Yuval Pnueli, Anusha Chowdhury, and Thomas Ristenpart. 2017. The TypTop System: Personalized Typo-tolerant Password Checking. Cryptology ePrint Archive, Report 2017/810. (2017). (full version) http://eprint.iacr.org/2017/810.Google Scholar
- Fred J Damerau. 1964. A technique for computer detection and correction of spelling errors. Commun. ACM 7, 3 (1964), 171--176. Google ScholarDigital Library
- Pooya Farshim, Benoît Libert, Kenneth G Paterson, Elizabeth A Quaglia, and others. 2013. Robust Encryption, Revisited.. In Public Key Cryptography, Vol. 7778. Springer, 352--368.Google Scholar
- Pooya Farshim, Claudio Orlandi, and Razvan Rosie. 2017. Security of Symmetric Primitives under Incorrect Usage of Keys. IACR Transactions on Symmetric Cryptology 2017, 1 (2017), 449--473.Google ScholarCross Ref
- Dinei Florencio and Cormac Herley. 2007. A Large-scale Study of Web Password Habits. In Proceedings of the 16th International Conference on World Wide Web (WWW '07). ACM, New York, NY, USA, 657--666. https://doi.org/10.1145/1242572. 1242661Google ScholarDigital Library
- Andreas W Hauser and Klaus U Schulz. 2007. Unsupervised learning of edit distance weights for retrieving historical spelling variations. In Proceedings of the First Workshop on Finite-State Techniques and Approximate Search. 1--6.Google Scholar
- Burt Kaliski. 2000. PKCS #5: Password-based cryptography specification version 2.0. (2000). RFC 2289.Google Scholar
- Mark Keith, Benjamin Shao, and Paul Steinbart. 2009. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009), 2.Google ScholarCross Ref
- Mark Keith, Benjamin Shao, and Paul John Steinbart. 2007. The usability of passphrases for authentication: An empirical field study. International journal of human-computer studies 65, 1 (2007), 17--28. Google ScholarDigital Library
- Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: measuring the effect of password-composition policies. In CHI . Google ScholarDigital Library
- Vladimir I Levenshtein. 1966. Binary codes capable of correcting deletions, insertions, and reversals. In Soviet physics doklady , Vol. 10. 707--710.Google Scholar
- Michelle L Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 173--186.Google ScholarDigital Library
- William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Fast, lean and accurate: Modeling password guessability using neural networks.Google Scholar
- Payman Mohassel. 2010. A closer look at anonymity and robustness in encryption schemes. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 501--518. Google ScholarCross Ref
- R. Morris and K. Thompson. 1979. Password security: a case history. Commun. ACM 22, 11 (Nov. 1979), 594--597. https://doi.org/10.1145/359168.359172 Google ScholarDigital Library
- Alec Muffet. 2015. Facebook: Password Hashing & Authentication. Presentation at Real World Crypto. (2015).Google Scholar
- Randall Munroe. 2015. Password Strength. https://xkcd.com/936/. (2015). Ac- cessed: 2015-11-13.Google Scholar
- Colin Percival and Simon Josefsson. 2015. The scrypt Password-Based Key Derivation Function. (2015).Google Scholar
- Emil Protalinski. 2015. Facebook passwords are not case sensitive. http://www. zdnet.com/article/facebook-passwords-are-not-case-sensitive-update/. (2015). Accessed: 2015--11--12.Google Scholar
- Kenneth Raeburn. 2005. Advanced encryption standard (AES) encryption for Kerberos 5. (2005).Google Scholar
- Vipin Samar. 1996. Unified login with pluggable authentication modules (PAM). In Proceedings of the 3rd ACM conference on Computer and communications security. ACM, 1--10. Google ScholarDigital Library
- Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM, 7. Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Adam L Durity, Phillip Seyoung Huh, Michelle L Mazurek, Sean M Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2927--2936. Google ScholarDigital Library
- M. Siegler. 14 Dec. 2009. One of the 32 million with a RockYou account? you may want to change all your passwords. like now. TechCrunch (14 Dec. 2009).Google Scholar
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. "I Added ?!? at the End to Make It Secure": Observing Password Creation in the Lab. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 123--140.Google Scholar
- Dan Lowe Wheeler. 2016. zxcvbn: Low-budget password strength estimation. In Proc. USENIX Security.Google ScholarDigital Library
- Frank Wilcoxon, SK Katti, and Roberta A Wilcox. 1963. Critical values and probability levels for the Wilcoxon rank sum test and the Wilcoxon signed rank test. American Cyanamid CompanyGoogle Scholar
Index Terms
- The TypTop System: Personalized Typo-Tolerant Password Checking
Recommendations
Using Episodic Memory for User Authentication
Passwords are widely used for user authentication, but they are often difficult for a user to recall, easily cracked by automated programs, and heavily reused. Security questions are also used for secondary authentication. They are more memorable than ...
On the Security of Some Password Authentication Protocols
In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password ...
A Proposal of an Associating Image-Based Password Creating Method and a Development of a Password Creating Support System
AINA '10: Proceedings of the 2010 24th IEEE International Conference on Advanced Information Networking and ApplicationsIn recent years, one of the most widely used authentication methods is a password-based authentication method. In this method, users are required to create a secure (i.e.\ difficult to crack) and memorable (i.e.\ easy to remember) password when they ...
Comments