Presentation is loading. Please wait.

Presentation is loading. Please wait.

PASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine.

Published byRodney Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "PASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine."— Presentation transcript:

1 pASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine.

2 rahul

3 Password-based authentication systems 3 Password459! Salted, slow cryptographic hash H( Password459! ) = “ a5idoiaU7p.. ” ?

4 Password-based authentication systems 4 Password459! Salted, slow cryptographic hash H( Password459! ) = “ a5idoiaU7p.. ” ? password459! H( password459! ) = “ a5idoiaU7p.. ” ? Any typo is rejected Typo-tolerant password checking Allow registered password or typos of it Typo-tolerant password checking Allow registered password or typos of it

5 Typo-tolerant password checking in industry 5 Password459! pASSWORD459! password459!

6 We know little about password typos Lots of work on usability of passwords… [Ur et al. 2012], [Shay et al. 2012, 2014], [Mazurek et al. 2013], [Bonneau, Schechter 2014] [Keith et al. 2007, 2009], [Bard 2007], [Jakobsson et al. 2012] … but nothing on typo-tolerant password checking. 1.How can we build a typo-tolerant systems? 2.How much would tolerating typos help users? 3.Does it endanger security? 6

7 Our work We measure password typos at Dropbox and show they are a huge problem for both users and service providers. We develop approaches to typo-tolerant checking, and show they improve utility with minimal security impact. “Have your cake and eat it too” 7

8 8 How to do typo-tolerant password checking?

9 We focus on relaxed checkers 9 Password459! password459! H( password459! ) = “ a5idoiaU7p.. ” ? H( PASSWORD459! ) = “ a5idoiaU7p.. ” ? H( Password459! ) = “ a5idoiaU7p.. ” ? Apply caps lock corrector Apply first case flip corrector … … Slow hash No change in password hash database Can we find a small but useful set of typo correctors?

10 MTurk password transcription study 10 100,000+ passwords typed by 4,300 workers

11 Impact of top-3 typos in the real world 11 Instrumented production login of Dropbox to quantify typos NOTE: We did not change authentication policy. 24 hour period: 3% of all users failed to login because one of top 3 typos 20% of users who made a typo would have saved at least 1 minute in logging into Dropbox if top 3 typos are corrected. Allowing typos in password will add several person-months of login time every day.

12 12 Typo-tolerance will significantly enhance usability of passwords. Can it be secure?

13 Threat #1: Server compromise 13 Password459! password459! H( password459! ) = “ a5idoiaU7p.. ” ? H( PASSWORD459! ) = “ a5idoiaU7p.. ” ? H( Password459! ) = “ a5idoiaU7p.. ” ? No change in password hash database No change in security in case of server compromise No change in security in case of server compromise

14 Threat #2: Remote guessing attack 14 password H( password ) = “ a5idoiaU7p.. ” ? H( PASSWORD ) = “ a5idoiaU7p.. ” ? H( Password ) = “ a5idoiaU7p.. ” ? Apply caps lock corrector Apply first case flip corrector Apply extra char. at end corrector H( passwor ) = “ a5idoiaU7p.. ” ?

15 Passwords are not uniformly distributed! 300% improvement, only if all checked passwords are equally probable. BUT, humans do not chose random passwords. Good for online guesses, maximizes success probability Good for online guesses, maximizes success probability

16 Attack simulation using password leaks 16

17 password Password Security-sensitive typo correction 17 Don’t check a correction if the resulting password is too popular. pASSWOR PASSWORD

18 Security of checkers with filtering 18 Change in success: 0.02%

19 19 Typo-tolerant checking can enhance users’ experience for essentially no degradation in security.

20 pASSWORD tYPOS in one slide 1.Introduce typo-tolerant password checkers Compatible with existing password databases, easy to deploy 2.Study password typos empirically 3% of users fail to login due to correctable, top-3 typos 3. Analyze security of typo-tolerant checkers “Free” correction theorem (In theory) With heuristic, works in practice too 20 Thanks! rahul@cs.cornell.edu Thanks! rahul@cs.cornell.edu /rchatterjee/mistypography

21

Download ppt "PASSWORD tYPOS and How to Correct Them Securely R. Chatterjee, A. Athalye, D. Akhawe, A. Juels, T. Ristenpart To typo is human; to tolerate, divine."

Similar presentations

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Use of a One-Way Hash without a Salt

Use of a One-Way Hash without a Salt
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
CREATE LOGIN James WITH PASSWORD = 'A' Answer: SQL 2005 and 2008 can enforce the password policy of the operating system. CREATE LOGIN James WITH PASSWORD.

CREATE LOGIN James WITH PASSWORD = 'A' Answer: SQL 2005 and 2008 can enforce the password policy of the operating system. CREATE LOGIN James WITH PASSWORD.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Testing of Password Policy Anton Dedov ZeroNights 2013.

Testing of Password Policy Anton Dedov ZeroNights 2013.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Building Robust and Automatic Authentication Systems with Activity- Based Personal Questions Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer.

Building Robust and Automatic Authentication Systems with Activity- Based Personal Questions Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Authentication System

Authentication System
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.

Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.

Similar presentations

Ads by Google