
Password Typos and How to Correct Them Securely (2016) [pdf] - sillysaurus3
http://www.ieee-security.org/TC/SP2016/papers/0824a799.pdf
======
glitcher
> "In future work, we plan to investigate whether typo-tolerance will actually
> serve to improve overall security. Because allowing for password typos
> increases login success rates in benign scenarios, it may help to make
> adversarial login attempts stick out. This would strengthen the signals used
> to detect online password attacks as used in Internet-scale authentication
> systems."

My initial thought was that such a system would decrease security, but the
idea of increasing legitimate user login success rates is very interesting.
This could also decrease the volume of password reset requests.

Of course if the user were pasting their credentials in from a password
manager this feature wouldn't make any difference, but until our industry can
create solutions with much less authentication friction we are likely to see
users continue to do what the majority of them are used to already doing.

~~~
freshhawk
What would a solution even look like with less friction than what we have now?
You can hit a key shortcut, pull up a list, select the password and it's done.
I personally hit one keyboard shortcut, type a few characters into a fuzzy
matching narrowing list, hit enter and the password is in my clipboard
(password-store + dmenu) and there are equally minimal friction GUI versions
of the same.

Total blue sky it, or describe it in principle. We are basically approaching
the theoretical minimum in regards to friction. We have a lot of solutions
that accept large decreases in security for small improvements in ease of use
in an attempt to attract users.

Users don't want these tools. It's not friction, it's a complete disinterest
from users. Maybe there is some theoretical approach with less friction that
would win everyone over but this analysis of what the problem is stinks of
tech solutionism to me.

~~~
setr
Well for one, using a generated password on a machine I don't own (ie a
library computer) is a PITA, and thats if I have my phone. If its elsewhere
for whatever reason, then I'm simply fucked since I'm no longer the source of
truth.

However, I'm not sure if hardware solutions like yubikey solve this
(particularly for initial logon, or "interfaces", like a computer serving
solely as a printer terminal)

But anyways, the easy case is when the manager is trivially available; the
hard case to solve is when its not. You can instead imagine a world where all
computers by standard support some interface for hardware login in all states
of operation, and by standard practice, people keep this hardware on them, and
you'd have a significant improvement on the state of affairs. (ie nfc
authentication by phone)

------
sillysaurus3
Quite happy to see that six out of the 30 front page slots are currently PDF
submissions. Few other places on the internet are as scholarly. That's no
small feat given HN's size. (Was pretty surprised to discover HN is now ranked
1336 globally, 565 in the US.
[http://www.alexa.com/siteinfo/ycombinator.com](http://www.alexa.com/siteinfo/ycombinator.com))

~~~
danohu
Currently 1337, which seems appropriate

------
unholiness
Real users have passwords that are simple mutations from passwords they used
elsewhere. They'll change a 1 to a 2 to make it unique and safe, or change an
o to a 0 to fulfill the next site's requirements.

I don't buy the idea that being typo tolerant only helps the real account
owner if it's also opaquely increasing the amount of password reuse across
sites. Not to mention that the code handling the typo comparison is a pretty
large new surface area for attack, all in the name of optimizing the
experience for typing passwords by hand (a practice we should actively
reduce).

------
jwfxpr
Non-PDF version:
[http://ieeexplore.ieee.org/document/7546536/](http://ieeexplore.ieee.org/document/7546536/)

------
mikequinlan
Dear God, please do NOT spell-correct my passwords. Ever.

~~~
xenadu02
The point is if you auto-correct passwords then you vastly decrease the
legitimate bad password rate... meaning you can be more aggressive about
locking or flagging accounts with multiple incorrect password attempts.

Whether this would be a net win or not I don't know.

~~~
acqq
You can use the "nearness" logic to decide which passwords to log then, when
just the logging is a problem.

