1. TypTop System: Personalized TypoTolerant Password Checking 2017 CCS Implementation Passwords
    Rahul Chatterjee, Joanne Woodage, Yuval Pnueli, Anusha Chowdhury, and Thomas Ristenpart
    [View PDF on acmccs.github.io]
    [Show BibTex Citation]

    author = {Chatterjee, Rahul and Woodage, Joanne and Pnueli, Yuval and Chowdhury, Anusha and Ristenpart, Thomas},
    title = {The TypTop System: Personalized Typo-Tolerant Password Checking},
    year = {2017},
    isbn = {9781450349468},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3133956.3134000},
    doi = {10.1145/3133956.3134000},
    booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
    pages = {329–346},
    numpages = {18},
    keywords = {password authentication, error-tolerant password checking, password, user study, mturk, typo-tolerant password checking, password based encryption, authentication},
    location = {Dallas, Texas, USA},
    series = {CCS ’17}

Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms.

We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.