pASSWORD tYPOS and How to Correct Them Securely

@article{Chatterjee2016pASSWORDTA,
  title={pASSWORD tYPOS and How to Correct Them Securely},
  author={Rahul Chatterjee and Anish Athayle and Devdatta Akhawe and Ari Juels and Thomas Ristenpart},
  journal={2016 IEEE Symposium on Security and Privacy (SP)},
  year={2016},
  pages={799-818}
}
We provide the first treatment of typo-tolerant password authentication for arbitrary user-selected passwords. Such a system, rather than simply rejecting a login attempt with an incorrect password, tries to correct common typographical errors on behalf of the user. Limited forms of typo-tolerance have been used in some industry settings, but to date there has been no analysis of the utility and security of such schemes. We quantify the kinds and rates of typos made by users via studies… 
The TypTop System: Personalized Typo-Tolerant Password Checking
TLDR
The formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password.
tPAKE: Typo-Tolerant Password-Authenticated Key Exchange
Password-authenticated key exchange (PAKE) enables a user to authenticate to a server by proving the knowledge of the password without actually revealing their password to the server. PAKE protects
Tipsy: How to Correct Password Typos Safely
  • Computer Science
  • 2021
TLDR
This work implements and test a simple typo tolerant password authentication scheme as well as its personalised counterpart and suggests a refined algorithm that offers a minimal decrease in security.
Client-side hashing for efficient typo-tolerant password checkers
  • Enka Blanchard
  • Computer Science
    International Journal of Systems and Software Security and Protection
  • 2022
TLDR
This article introduces an alternative typo-correction framework based on client-side hashing, which corrects up to 57% of typos without affecting user experience, at no computational cost to the server.
DALock: Password Distribution-Aware Throttling
TLDR
DALock is introduced, a distribution-aware password lockout mechanism to reduce user annoyance while minimizing user risk, and empirically evaluate with an extensive battery of simulations that indicate that DALock offers a superior simulated security/usability trade-off.
Study On Threats To Correct Password Errors Focused On Facebook Cases
TLDR
This paper confirms Facebook’s claim that login is possible even if there is a typo in ID or password on Facebook, and analyzes the type of typos of users and guess the effects of the function that allows typos.
Making More Extensive and Efficient Typo-Tolerant Password Checkers
  • Enka Blanchard
  • Computer Science
    2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)
  • 2020
TLDR
This work proposes an alternative framework which corrects up to 57% of typos without affecting user experience, at no computational cost to the server.
A Typo-Tolerant Password Authentication Scheme with Targeted Error Correction
  • Xin ChenXinyi HuangY. MuDing Wang
  • Computer Science
    2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)
  • 2019
TLDR
A typo-tolerant password authentication scheme with targeted error correction that first uses fuzzy judgment to determine whether the input password contains personal information, and then correct the password according to the result of the fuzzy judgment.
DALock: Distribution Aware Password Throttling
TLDR
DALock is designed to be aware of the frequency and popularity of the password used for login attacks while standard throttling mechanisms are oblivious to the password distribution and offers a superior security/usability trade-off.
Password typo correction using discrete logarithms
TLDR
A simpler algorithm is proposed for the more general problem of computing an edit distance between two strings without having direct access to those strings — by storing the equivalent of a hash by storing a hash on the server.
...
...

References

SHOWING 1-10 OF 51 REFERENCES
The usability of passphrases for authentication: An empirical field study
Improving Usability Through Password-Corrective Hashing
We propose a way to increase the usability of password authentication systems by compensating for transposition and substitution errors. We show how to correct for these errors with low false
Can long passwords be secure and usable?
TLDR
Among the longer policies, new evidence for a security/usability tradeoff is discovered, with none being strictly better than another on both dimensions, however, several policies are both more usable and more secure that the traditional policy the authors tested.
Rethinking Passwords to Adapt to Constrained Keyboards
TLDR
A variant of the traditional password scheme designed to take advantage of standard error-correcting methods of the types used to facilitate text entry on handsets is described and analyzed, and a memory jogging technique in which a portion of the fastword is revealed to a user who has forgotten it is shown.
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
TLDR
It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints.
The security of modern password expiration: an algorithmic framework and empirical analysis
TLDR
This paper develops a framework by which an attacker can search for a user's new password from an old one, and designs an efficient algorithm to build an approximately optimal search strategy, which is used to measure the difficulty of breaking newly chosen passwords from old ones.
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
TLDR
It was found that meters with a variety of visual appearances led users to create longer passwords, however, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently.
Correct horse battery staple: exploring the usability of system-assigned passphrases
TLDR
System-assigned passphrases performed similarly to system-assignment passwords of similar entropy across the usability metrics, and did not seem to increase when the dictionary from which words were chosen was shrunk, reduced the number of words in a passphrase, or allowed users to change the order of words.
Spelling-Error Tolerant, Order-Independent Pass-Phrases via the Damerau-Levenshtein String-Edit Distance Metric
TLDR
This paper explores methods for making pass-phrases suitable for use with password-based authentication and key-exchange (PAKE) protocols, and in particular, with schemes resilient to server-file compromise.
"I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab
TLDR
To understand the genesis of common password patterns and uncover average users' misconceptions about password strength, a qualitative interview study is conducted that identifies aspects of password creation ripe for improved guidance or automated intervention.
...
...