PASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine.

Slides:



Advertisements
Similar presentations
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Advertisements

1 Identification Who are you? How do I know you are who you say you are?
Use of a One-Way Hash without a Salt
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
CREATE LOGIN James WITH PASSWORD = 'A' Answer: SQL 2005 and 2008 can enforce the password policy of the operating system. CREATE LOGIN James WITH PASSWORD.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Testing of Password Policy Anton Dedov ZeroNights 2013.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Building Robust and Automatic Authentication Systems with Activity- Based Personal Questions Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Authentication System
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
ACC Online Services and Online Registration. Guess What? Telephone Registration Has Gone Away...It Is Time To Go Online! Part 1: Obtaining Your ACCeID.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Figures – Chapter 14. Figure 14.1 System layers where security may be compromised.
Lecture 11: Strong Passwords
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Honey Encryption: Security Beyond the Brute-Force Bound
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Kerberos: Man’s Best Friend. Introduction and Summary The Authentication Problem Password-Based Authentication Kerberos Comparison Conclusion.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Knock Yourself Out Secure Authentication with Short Re-Usable Passwords by Benjamin Guldenring, Volker Roth and Lars Ries PRESENTED BY EUNYOUNG CHO COLLEGE.
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Presented by Sharan Dhanala
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Homework 1 Perl programming - TA bot release and demo attention.
Belief in Information Flow Michael Clarkson, Andrew Myers, Fred B. Schneider Cornell University 18 th IEEE Computer Security Foundations Workshop June.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Securing Network Servers
ESS (Employee Self Service) Assistance
Towards Human Computable Passwords
Personal Profile Campaign
Common Methods Used to Commit Computer Crimes
Password Management Limit login attempts Encrypt your passwords
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
JavaScript is a language that is used on any website to add tags, improve the function of the website and allow users to interact. When the development.
Security Engineering.
Human Computable Passwords
Authentication by Passwords
A Cryptographic Defense Against Connection Depletion Attacks
Usable Security (unusable security ain’t secure)
Brandon Traffanstedt Systems Engineer - Southeast
Usable Security (unusable security ain’t secure)
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.
Access Online Training
Computer Security Protection in general purpose Operating Systems
Usable Security (unusable security ain’t secure)
If my file system only has lots of big video files what block size do I want? Large (correct) Small.
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

pASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine.

rahul

Password-based authentication systems 3 Password459! Salted, slow cryptographic hash H( Password459! ) = “ a5idoiaU7p.. ” ?

Password-based authentication systems 4 Password459! Salted, slow cryptographic hash H( Password459! ) = “ a5idoiaU7p.. ” ? password459! H( password459! ) = “ a5idoiaU7p.. ” ? Any typo is rejected Typo-tolerant password checking Allow registered password or typos of it Typo-tolerant password checking Allow registered password or typos of it

Typo-tolerant password checking in industry 5 Password459! pASSWORD459! password459!

We know little about password typos Lots of work on usability of passwords… [Ur et al. 2012], [Shay et al. 2012, 2014], [Mazurek et al. 2013], [Bonneau, Schechter 2014] [Keith et al. 2007, 2009], [Bard 2007], [Jakobsson et al. 2012] … but nothing on typo-tolerant password checking. 1.How can we build a typo-tolerant systems? 2.How much would tolerating typos help users? 3.Does it endanger security? 6

Our work We measure password typos at Dropbox and show they are a huge problem for both users and service providers. We develop approaches to typo-tolerant checking, and show they improve utility with minimal security impact. “Have your cake and eat it too” 7

8 How to do typo-tolerant password checking?

We focus on relaxed checkers 9 Password459! password459! H( password459! ) = “ a5idoiaU7p.. ” ? H( PASSWORD459! ) = “ a5idoiaU7p.. ” ? H( Password459! ) = “ a5idoiaU7p.. ” ? Apply caps lock corrector Apply first case flip corrector … … Slow hash No change in password hash database Can we find a small but useful set of typo correctors?

MTurk password transcription study ,000+ passwords typed by 4,300 workers

Impact of top-3 typos in the real world 11 Instrumented production login of Dropbox to quantify typos NOTE: We did not change authentication policy. 24 hour period: 3% of all users failed to login because one of top 3 typos 20% of users who made a typo would have saved at least 1 minute in logging into Dropbox if top 3 typos are corrected. Allowing typos in password will add several person-months of login time every day.

12 Typo-tolerance will significantly enhance usability of passwords. Can it be secure?

Threat #1: Server compromise 13 Password459! password459! H( password459! ) = “ a5idoiaU7p.. ” ? H( PASSWORD459! ) = “ a5idoiaU7p.. ” ? H( Password459! ) = “ a5idoiaU7p.. ” ? No change in password hash database No change in security in case of server compromise No change in security in case of server compromise

Threat #2: Remote guessing attack 14 password H( password ) = “ a5idoiaU7p.. ” ? H( PASSWORD ) = “ a5idoiaU7p.. ” ? H( Password ) = “ a5idoiaU7p.. ” ? Apply caps lock corrector Apply first case flip corrector Apply extra char. at end corrector H( passwor ) = “ a5idoiaU7p.. ” ?

Passwords are not uniformly distributed! 300% improvement, only if all checked passwords are equally probable. BUT, humans do not chose random passwords. Good for online guesses, maximizes success probability Good for online guesses, maximizes success probability

Attack simulation using password leaks 16

password Password Security-sensitive typo correction 17 Don’t check a correction if the resulting password is too popular. pASSWOR PASSWORD

Security of checkers with filtering 18 Change in success: 0.02%

19 Typo-tolerant checking can enhance users’ experience for essentially no degradation in security.

pASSWORD tYPOS in one slide 1.Introduce typo-tolerant password checkers Compatible with existing password databases, easy to deploy 2.Study password typos empirically 3% of users fail to login due to correctable, top-3 typos 3. Analyze security of typo-tolerant checkers “Free” correction theorem (In theory) With heuristic, works in practice too 20 Thanks! Thanks! /rchatterjee/mistypography

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.