The TypTop System : Personalized Typo-Tolerant Password Checking. / Chatterjee, Rahul; Woodage, Joanne; Pnueli, Yuval; Chowdhury, Anusha; Ristenpart, Thomas.

CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017. p. 329-346.

Research output: Chapter in Book/Report/Conference proceedingChapter

Published

Standard

The TypTop System : Personalized Typo-Tolerant Password Checking. / Chatterjee, Rahul; Woodage, Joanne; Pnueli, Yuval; Chowdhury, Anusha; Ristenpart, Thomas.

CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017. p. 329-346.

Research output: Chapter in Book/Report/Conference proceedingChapter

Harvard

Chatterjee, R, Woodage, J, Pnueli, Y, Chowdhury, A & Ristenpart, T 2017, The TypTop System: Personalized Typo-Tolerant Password Checking. in CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. pp. 329-346. https://doi.org/10.1145/3133956.3134000

APA

Chatterjee, R., Woodage, J., Pnueli, Y., Chowdhury, A., & Ristenpart, T. (2017). The TypTop System: Personalized Typo-Tolerant Password Checking. In CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 329-346) https://doi.org/10.1145/3133956.3134000

Vancouver

Chatterjee R, Woodage J, Pnueli Y, Chowdhury A, Ristenpart T. The TypTop System: Personalized Typo-Tolerant Password Checking. In CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017. p. 329-346 https://doi.org/10.1145/3133956.3134000

Author

Chatterjee, Rahul ; Woodage, Joanne ; Pnueli, Yuval ; Chowdhury, Anusha ; Ristenpart, Thomas. / The TypTop System : Personalized Typo-Tolerant Password Checking. CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017. pp. 329-346

BibTeX

@inbook{7ea4e010a1074d02ad5465c49e947922,
title = "The TypTop System: Personalized Typo-Tolerant Password Checking",
abstract = "Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms.We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.",
author = "Rahul Chatterjee and Joanne Woodage and Yuval Pnueli and Anusha Chowdhury and Thomas Ristenpart",
year = "2017",
month = oct,
day = "30",
doi = "10.1145/3133956.3134000",
language = "English",
isbn = "978-1-4503-4946-8",
pages = "329--346",
booktitle = "CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security",

}

RIS

TY - CHAP

T1 - The TypTop System

T2 - Personalized Typo-Tolerant Password Checking

AU - Chatterjee, Rahul

AU - Woodage, Joanne

AU - Pnueli, Yuval

AU - Chowdhury, Anusha

AU - Ristenpart, Thomas

PY - 2017/10/30

Y1 - 2017/10/30

N2 - Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms.We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.

AB - Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms.We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.

U2 - 10.1145/3133956.3134000

DO - 10.1145/3133956.3134000

M3 - Chapter

SN - 978-1-4503-4946-8

SP - 329

EP - 346

BT - CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

ER -