> "In future work, we plan to investigate whether typo-tolerance will actually serve to improve overall security. Because allowing for password typos increases login success rates in benign scenarios, it may help to make adversarial login attempts stick out. This would strengthen the signals used to detect online password attacks as used in Internet-scale authentication systems."
My initial thought was that such a system would decrease security, but the idea of increasing legitimate user login success rates is very interesting. This could also decrease the volume of password reset requests.
Of course if the user were pasting their credentials in from a password manager this feature wouldn't make any difference, but until our industry can create solutions with much less authentication friction we are likely to see users continue to do what the majority of them are used to already doing.
What would a solution even look like with less friction than what we have now? You can hit a key shortcut, pull up a list, select the password and it's done. I personally hit one keyboard shortcut, type a few characters into a fuzzy matching narrowing list, hit enter and the password is in my clipboard (password-store + dmenu) and there are equally minimal friction GUI versions of the same.
Total blue sky it, or describe it in principle. We are basically approaching the theoretical minimum in regards to friction. We have a lot of solutions that accept large decreases in security for small improvements in ease of use in an attempt to attract users.
Users don't want these tools. It's not friction, it's a complete disinterest from users. Maybe there is some theoretical approach with less friction that would win everyone over but this analysis of what the problem is stinks of tech solutionism to me.
Another really interesting potential benefit of this work is enabling users to create longer, more complicated passwords. The idea is that if users are less encumbered by typos and small errors, they'll be able to use stronger passwords while devoting the same amount of "brain space" (so to speak) to correctly using them.
EDIT: The authors are probably too modest to tout this, so I'll do it for them: this work won "Best Student Paper" at IEEE Security and Privacy last year.
Quite happy to see that six out of the 30 front page slots are currently PDF submissions. Few other places on the internet are as scholarly. That's no small feat given HN's size. (Was pretty surprised to discover HN is now ranked 1336 globally, 565 in the US. http://www.alexa.com/siteinfo/ycombinator.com)
Real users have passwords that are simple mutations from passwords they used elsewhere. They'll change a 1 to a 2 to make it unique and safe, or change an o to a 0 to fulfill the next site's requirements.
I don't buy the idea that being typo tolerant only helps the real account owner if it's also opaquely increasing the amount of password reuse across sites. Not to mention that the code handling the typo comparison is a pretty large new surface area for attack, all in the name of optimizing the experience for typing passwords by hand (a practice we should actively reduce).
The point is if you auto-correct passwords then you vastly decrease the legitimate bad password rate... meaning you can be more aggressive about locking or flagging accounts with multiple incorrect password attempts.
Whether this would be a net win or not I don't know.
[+] [-] glitcher|8 years ago|reply
My initial thought was that such a system would decrease security, but the idea of increasing legitimate user login success rates is very interesting. This could also decrease the volume of password reset requests.
Of course if the user were pasting their credentials in from a password manager this feature wouldn't make any difference, but until our industry can create solutions with much less authentication friction we are likely to see users continue to do what the majority of them are used to already doing.
[+] [-] freshhawk|8 years ago|reply
Total blue sky it, or describe it in principle. We are basically approaching the theoretical minimum in regards to friction. We have a lot of solutions that accept large decreases in security for small improvements in ease of use in an attempt to attract users.
Users don't want these tools. It's not friction, it's a complete disinterest from users. Maybe there is some theoretical approach with less friction that would win everyone over but this analysis of what the problem is stinks of tech solutionism to me.
[+] [-] swordswinger12|8 years ago|reply
EDIT: The authors are probably too modest to tout this, so I'll do it for them: this work won "Best Student Paper" at IEEE Security and Privacy last year.
[+] [-] sillysaurus3|8 years ago|reply
[+] [-] danohu|8 years ago|reply
[+] [-] unholiness|8 years ago|reply
I don't buy the idea that being typo tolerant only helps the real account owner if it's also opaquely increasing the amount of password reuse across sites. Not to mention that the code handling the typo comparison is a pretty large new surface area for attack, all in the name of optimizing the experience for typing passwords by hand (a practice we should actively reduce).
[+] [-] jwfxpr|8 years ago|reply
[+] [-] mikequinlan|8 years ago|reply
[+] [-] xenadu02|8 years ago|reply
Whether this would be a net win or not I don't know.