Date Posted: 8/01/2016

Rahul Chatterjee, Ari Juels, and Tom Ristenpart, together with MIT and Dropbox colleagues Anish Athalye, Devdatta Akhawe, won a Distinguished Student Paper Award from the 2016 IEEE Symposium on Security and Privacy ("Oakland") conference for "pASSWORD tYPOS and How to Correct Them Securely". 

Technology Review reported on it an article entitled, "Why Autocorrect for Passwords Is a Great Idea: Letting people into their online accounts even when they mistype their password could make life easier without compromising security."  Juels is quoted: "This is, in our view, a pretty big deal ... Websites should be changing their password policies to make users’ lives easier. The security degradation is pretty small" if, the article states,  the "autocorrect" is "implemented in a way that takes into account how people choose passwords and the typos they make".  To guard against certain vulnerabilities, the researchers "created two typo-tolerant password checkers that won’t accept typos for certain passwords where it could be risky, based on information from leaked password lists."

The research was facilitated by gathering data on typos "by analyzing 24 hours of logins to Dropbox, which has hundreds of millions of users. Almost 10 percent of login attempts that failed did so due to a handful of easily correctable typos, such as leaving caps lock on. Some 3 percent of users who didn’t get into their accounts could have done so if autocorrect had covered the three most common typos: leaving caps lock on, using the wrong case for the first character, or deleting the last character.."