Skip to Content

Why Autocorrect for Passwords Is a Great Idea

Letting people into their online accounts even when they mistype their password could make life easier without compromising security.

Most of us have, at one time or another, had to reenter a password because we mistyped it. Perhaps you have even been locked out of an account after too many typos.

New research shows those frustrations could be avoided using the same approach used to fix typos in text messages and documents: autocorrect.

Researchers analyzed logins to the data-storage service Dropbox to prove that letting people in even when they get a few characters wrong can reduce headaches without significantly harming security.

“This is, in our view, a pretty big deal,” says Ari Juels, a professor at the Jacobs Technion-Cornell Institute at Cornell Tech, in New York City. “Websites should be changing their password policies to make users’ lives easier. The security degradation is pretty small.”

On the face of it, letting passwords with typos unlock an account sounds like a bad idea. After all, an attacker trying to guess your password wouldn’t need to get it exactly right. Facebook has been criticized for allowing people to log in even when they get the case of their password’s first character wrong, or accidentally have caps lock on.

But Jules and collaborators from Cornell Tech, MIT, and Dropbox say that the idea isn’t dangerous if it's implemented in a way that takes into account how people choose passwords and the typos they make. Their paper was presented at the IEEE Symposium on Security and Privacy last week.

They gathered data on typos by analyzing 24 hours of logins to Dropbox, which has hundreds of millions of users. Almost 10 percent of login attempts that failed did so due to a handful of easily correctable typos, such as leaving caps lock on. Some 3 percent of users who didn’t get into their accounts could have done so if autocorrect had covered the three most common typos: leaving caps lock on, using the wrong case for the first character, or deleting the last character.

Comparing that data with patterns on passwords revealed by data breaches, such as the 32 million leaked from social gaming company RockYou, suggests that correcting those common errors doesn’t give an attacker trying to guess passwords much of an advantage. In most cases, the “free” guesses created by accepting typos aren’t worth much. Attackers use password lists to try common passwords first, and applying typo fixes to those passwords usually creates junk, not another common password.

Accepting common typos could give an attacker a leg up for some passwords, though. For example if your password is “12345” and an attacker guesses “123456,” he could get in. To guard against such cases, Juels and his collaborators created two typo-tolerant password checkers that won’t accept typos for certain passwords where it could be risky, based on information from leaked password lists.

Those checkers were tested in scenarios simulating what would happen if an attacker were given 1,000 attempts to guess an account’s password (unlikely in practice since companies limit incorrect logins). The attacker never got an advantage of more than 0.2 percent. The researchers say this suggests the benefits to people trying to access their accounts should outweigh the possible downsides of accepting typos.

“In some cases we’re seeing virtually no security degradation applying a handful of corrections,” says Juels. “We hope that this paper will change the industry practice.”

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

How one mine could unlock billions in EV subsidies

The Inflation Reduction Act is starting to transform the US economy. To understand how, we tallied up the potential tax credits available as the nickel from a single mine flows through the supply chain.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.