Paper 2017/810

The TypTop System: Personalized Typo-Tolerant Password Checking

Rahul Chatterjee, Joanne Woodage, Yuval Pnueli, Anusha Chowdhury, and Thomas Ristenpart

Abstract

Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms. We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. We therefore design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.

Note: This is the full version of the paper going to appear in ACM CCS 2017. There was a bug in the analysis of the previous version in Appendix A.5: Online security which also affects our claims in the conclusion. In this version, we fixed the bug, updated the version with new results, and an appropriate conclusion.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Minor revision. ACM Conference on Computer and Communications Security (CCS)
DOI
10.1145/3133956.3134000
Keywords
Passwordtypo-tolerant password
Contact author(s)
rahul @ cs cornell edu
History
2017-10-23: revised
2017-08-29: received
See all versions
Short URL
https://ia.cr/2017/810
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/810,
      author = {Rahul Chatterjee and Joanne Woodage and Yuval Pnueli and Anusha Chowdhury and Thomas Ristenpart},
      title = {The TypTop System: Personalized Typo-Tolerant Password Checking},
      howpublished = {Cryptology ePrint Archive, Paper 2017/810},
      year = {2017},
      doi = {10.1145/3133956.3134000},
      note = {\url{https://eprint.iacr.org/2017/810}},
      url = {https://eprint.iacr.org/2017/810}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.