Most of us have, at one time or another, had to reenter a password because we mistyped it. Perhaps you have even been locked out of an account after too many typos.
New research shows those frustrations could be avoided using the same approach used to fix typos in text messages and documents: autocorrect.
Researchers analyzed logins to the data-storage service Dropbox to prove that letting people in even when they get a few characters wrong can reduce headaches without significantly harming security.
“This is, in our view, a pretty big deal,” says Ari Juels, a professor at the Jacobs Technion-Cornell Institute at Cornell Tech, in New York City. “Websites should be changing their password policies to make users’ lives easier. The security degradation is pretty small.”
On the face of it, letting passwords with typos unlock an account sounds like a bad idea. After all, an attacker trying to guess your password wouldn’t need to get it exactly right. Facebook has been criticized for allowing people to log in even when they get the case of their password’s first character wrong, or accidentally have caps lock on.
But Jules and collaborators from Cornell Tech, MIT, and Dropbox say that the idea isn’t dangerous if it's implemented in a way that takes into account how people choose passwords and the typos they make. Their paper was presented at the IEEE Symposium on Security and Privacy last week.
They gathered data on typos by analyzing 24 hours of logins to Dropbox, which has hundreds of millions of users. Almost 10 percent of login attempts that failed did so due to a handful of easily correctable typos, such as leaving caps lock on. Some 3 percent of users who didn’t get into their accounts could have done so if autocorrect had covered the three most common typos: leaving caps lock on, using the wrong case for the first character, or deleting the last character.
Comparing that data with patterns on passwords revealed by data breaches, such as the 32 million leaked from social gaming company RockYou, suggests that correcting those common errors doesn’t give an attacker trying to guess passwords much of an advantage. In most cases, the “free” guesses created by accepting typos aren’t worth much. Attackers use password lists to try common passwords first, and applying typo fixes to those passwords usually creates junk, not another common password.
Accepting common typos could give an attacker a leg up for some passwords, though. For example if your password is “12345” and an attacker guesses “123456,” he could get in. To guard against such cases, Juels and his collaborators created two typo-tolerant password checkers that won’t accept typos for certain passwords where it could be risky, based on information from leaked password lists.
Those checkers were tested in scenarios simulating what would happen if an attacker were given 1,000 attempts to guess an account’s password (unlikely in practice since companies limit incorrect logins). The attacker never got an advantage of more than 0.2 percent. The researchers say this suggests the benefits to people trying to access their accounts should outweigh the possible downsides of accepting typos.
“In some cases we’re seeing virtually no security degradation applying a handful of corrections,” says Juels. “We hope that this paper will change the industry practice.”