pASSWORD tYPOS FAQ
Why correct typos in passwords?
Correcting typos improves website useability. We all make typos, and password selection guidelines—even sound ones—don’t help the situation. Our experiments at Dropbox showed that over a 24-hour period, 3% of users failed to log in when they made typos that a simple typo correction scheme (with three correctors) would have corrected.
But isn't typo correction weakening security and
giving an attacker “free guesses” at a user's password?
Intuitively, it may seem that typo-tolerance weakens security: A typo-tolerant system will accept multiple character strings as passwords for a given user, so it seems to be giving an attacker “free guesses." But the vast majority of those “free guesses” are character strings that don’t correspond to passwords people actually use. This is why, despite the intuition, typo correction actually has a small impact on security.
Just how small is the security impact of typo
In most realistic settings, the impact on online security is quite small. The answer, however, depends on the parameters of the password system, such as the number of guesses an attacker can make before being locked out, and the way that user’s select and attackers guess passwords. As an example, though, in a system that allows ten guesses before lockout, with the level of correction used in the DropBox study (three “correctors”), and analysis using a public database of passwords (Myspace), we estimate that applying typo correction raises an attacker’s probability of successful online attack against a given user from 0.79% to 0.81%.
What about security against attackers that make guesses across a large
number of distinct accounts?
Many attackers do mount "horizontal" attacks that try what the attacker thinks is the most popular password across many accounts, then the next most popular against those same accounts, etc. The success of such an attack is typically measured in the fraction of targeted accounts they will compromise. Our statistic above actually covers this case already: deploying typo-tolerance would increase this fraction of accounts compromised from 0.79% to 0.81%. Compared to the number of accounts compromised without typo tolerance, the increase due to allowing typos is quite small. Moreover, these are pessimistic numbers, and show the maximum possible success probability for any attacker. We expect real attackers, who does not know the exact distribution of passwords, would gain much smaller benefit due to typo-tolerance.
What about offline security?
Our approach has no impact on offline security, i.e., brute-force password cracking. Our scheme does not in any way change the format of stored passwords (which are salted and hashed in well-engineered systems, and in very well-engineered systems also hardened using a pseudorandom function service).
OK. So why aren’t websites already doing this today?
A few are, in a limited way. Facebook, for example, corrects capitalization errors. But our work suggests that many more websites should autocorrect password typos to improve their service.
How hard is it to implement your typo correction
strategy in existing systems?
Our scheme involves no change to a password database. It builds on top of the basic password checking used in existing systems, which check that a submitted password exactly matches the one stored for a user. The idea behind our scheme is to try various “tweaks” to a submitted password to see if any results in an exact match. These “tweaks” correct typos.
How can “autocorrect”
work if my password doesn't include dictionary words?
“Autocorrect” conveys the spirit but not the technical details of our approach, in which "correctors" do not involve a dictionary.