> "In future work, we plan to investigate whether typo-tolerance will actually serve to improve overall security. Because allowing for password typos increases login success rates in benign scenarios, it may help to make adversarial login attempts stick out. This would strengthen the signals used to detect online password attacks as used in Internet-scale authentication systems."
My initial thought was that such a system would decrease security, but the idea of increasing legitimate user login success rates is very interesting. This could also decrease the volume of password reset requests.
Of course if the user were pasting their credentials in from a password manager this feature wouldn't make any difference, but until our industry can create solutions with much less authentication friction we are likely to see users continue to do what the majority of them are used to already doing.
What would a solution even look like with less friction than what we have now? You can hit a key shortcut, pull up a list, select the password and it's done. I personally hit one keyboard shortcut, type a few characters into a fuzzy matching narrowing list, hit enter and the password is in my clipboard (password-store + dmenu) and there are equally minimal friction GUI versions of the same.
Total blue sky it, or describe it in principle. We are basically approaching the theoretical minimum in regards to friction. We have a lot of solutions that accept large decreases in security for small improvements in ease of use in an attempt to attract users.
Users don't want these tools. It's not friction, it's a complete disinterest from users. Maybe there is some theoretical approach with less friction that would win everyone over but this analysis of what the problem is stinks of tech solutionism to me.
Well for one, using a generated password on a machine I don't own (ie a library computer) is a PITA, and thats if I have my phone. If its elsewhere for whatever reason, then I'm simply fucked since I'm no longer the source of truth.
However, I'm not sure if hardware solutions like yubikey solve this (particularly for initial logon, or "interfaces", like a computer serving solely as a printer terminal)
But anyways, the easy case is when the manager is trivially available; the hard case to solve is when its not. You can instead imagine a world where all computers by standard support some interface for hardware login in all states of operation, and by standard practice, people keep this hardware on them, and you'd have a significant improvement on the state of affairs. (ie nfc authentication by phone)
The friction isn't about the workflow when the system just works.
There are gains to be made in situations where I'm using another computer, or my phone, or the password manager isn't recognizing the site properly, or isn't finding the right the input fields.
But mostly the friction is in front of all those users who don't use password managers. There are gains to be made in making the setup process simple, secure, and predictable. There are gains in making it cross-browser, cross-platform, and well-integrated with the setup process for browsers and operating systems.
Users "don't want" most things, until a lot of thought and effort gets made to create a wholistic solutions that just work.
Another really interesting potential benefit of this work is enabling users to create longer, more complicated passwords. The idea is that if users are less encumbered by typos and small errors, they'll be able to use stronger passwords while devoting the same amount of "brain space" (so to speak) to correctly using them.
EDIT: The authors are probably too modest to tout this, so I'll do it for them: this work won "Best Student Paper" at IEEE Security and Privacy last year.
Password security is always important and I agree with one point that longer you create the password, the better it is. But there are more points we should be aware of and I think this article explaining at its best -http://gotowebsecurity.com/now-thats-password-security/
Quite happy to see that six out of the 30 front page slots are currently PDF submissions. Few other places on the internet are as scholarly. That's no small feat given HN's size. (Was pretty surprised to discover HN is now ranked 1336 globally, 565 in the US. http://www.alexa.com/siteinfo/ycombinator.com)
Real users have passwords that are simple mutations from passwords they used elsewhere. They'll change a 1 to a 2 to make it unique and safe, or change an o to a 0 to fulfill the next site's requirements.
I don't buy the idea that being typo tolerant only helps the real account owner if it's also opaquely increasing the amount of password reuse across sites. Not to mention that the code handling the typo comparison is a pretty large new surface area for attack, all in the name of optimizing the experience for typing passwords by hand (a practice we should actively reduce).
The point is if you auto-correct passwords then you vastly decrease the legitimate bad password rate... meaning you can be more aggressive about locking or flagging accounts with multiple incorrect password attempts.
Whether this would be a net win or not I don't know.
My initial thought was that such a system would decrease security, but the idea of increasing legitimate user login success rates is very interesting. This could also decrease the volume of password reset requests.
Of course if the user were pasting their credentials in from a password manager this feature wouldn't make any difference, but until our industry can create solutions with much less authentication friction we are likely to see users continue to do what the majority of them are used to already doing.