R. Chatterjee, J. Woodage, Y. Pnueli, A. Chowdhury, T.

Ristenpart
Password checking systems and typos
Typo-tolerance improves utility
… corrects only the tip of the iceberg
We propose: Personalized typo-tolerance
•

•
Adaptive typo-tolerance


If only we could store passwords in plaintext…
Simulate password typing behavior at
•
•
•
45% of users repeat their typos
 Design of TypTop : Registration
Register
E 𝑠𝑘

𝑝𝑘

(E, D): 𝑠𝑘, 𝑝𝑘

E( ):
𝑘 ← PBKDF2( )
𝐶 ← AEAD (𝑘,
𝐶
Design of TypTop : Login
E 𝑠𝑘 ℰ(𝑝𝑘, (ℰ, 𝒟):

𝑝𝑘

D( ) ≠⊥
Design of TypTop : Login
E 𝑠𝑘 ℰ(𝑝𝑘,

E 𝑠𝑘

𝑝𝑘

D( ) ≠⊥

𝒟 ( 𝑠𝑘 , )
Design of TypTop : Login with a typo

 E 𝑠𝑘

E 𝑠𝑘

𝑝𝑘
Design of TypTop : Some more details
E 𝑠𝑘 β第υ玉ε二回

E 𝑠𝑘 了βτ不ней 題

親父 έρ親न् 父έρ親ο回衙
𝑝𝑘
𝑝𝑘

zxcvbn
Security of TypTop

•
•
•
Smash and grab attacker (Offline attacker)
E 𝑠𝑘 ℰ(𝑝𝑘,

E 𝑠𝑘 ℰ(𝑝𝑘,

#父 βτ不 ℰ(𝑝𝑘,
𝑝𝑘
 Cryptographic reduction
父 έ έρ親न् β第υ玉ε二回 E 𝑠𝑘 ℰ(𝑝𝑘,

父親父親ρ
έ 了βτ不ней 題 ≅ E 𝑠𝑘 ℰ(𝑝𝑘,

親親न्ρ親न् 父έρ親ο回衙 #父 βτ不 ℰ(𝑝𝑘,

𝑝𝑘 𝑝𝑘

𝐴𝑠𝑠𝑢𝑚𝑖𝑛𝑔 𝑡ℎ𝑒 𝑢𝑛𝑑𝑒𝑟𝑙𝑦𝑖𝑛𝑔 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 𝑏𝑎𝑠𝑒𝑑 𝑎𝑛𝑑 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛 𝑠𝑐ℎ𝑒𝑚𝑒𝑠
𝑎𝑟𝑒 𝑠𝑒𝑐𝑢𝑟𝑒 𝑇𝑦𝑝𝑇𝑜𝑝 𝑠 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑒𝑑 𝑑𝑎𝑡𝑎 𝑖𝑠 𝑖𝑛𝑑𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ𝑎𝑏𝑙𝑒 𝑓𝑟𝑜𝑚 𝑟𝑎𝑛𝑑𝑜𝑚 𝑣𝑎𝑙𝑢𝑒𝑠
𝑢𝑛𝑙𝑒𝑠𝑠 𝑡ℎ𝑒 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑟 𝑐𝑎𝑛 𝑔𝑢𝑒𝑠𝑠 𝑎 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 𝑜𝑟 𝑎 𝑡𝑦𝑝𝑜 𝑜𝑓 𝑖𝑡 𝑎𝑐𝑡𝑖𝑣𝑒 𝑖𝑛 𝑡ℎ𝑒 𝑐𝑎𝑐ℎ𝑒
Guessing game against the TypTop’s cache
Guessing game w/ artificial cache distribution
Cache inclusion probability and t-sparsity
𝜏ǁ 𝑤 (𝑤)
෥ 𝑤
෥ 𝑤)
𝑤

t-sparse
𝑤
෥
∀𝑤,
෥ ෍ 𝜏ǁ 𝑤 (𝑤)
෥ ≤𝑡
𝑤

t-sparse
 𝜏ǁ pasw92 passe92 + 𝜏ǁ pas192 passe92 ≤ 2

Pr passw92 × 𝜏ǁ pasw92 passe92

Pr pass192 × 𝜏ǁ pas192 passe92 ≤ Pr passw92 + Pr pass192
Guessing against typos gives no advantage

𝐼𝑓 𝑡𝑦𝑝𝑜 𝑑𝑖𝑠𝑡𝑟𝑖𝑏𝑢𝑡𝑖𝑜𝑛 𝑖𝑠 𝑡 𝑠𝑝𝑎𝑟𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑇𝑦𝑝𝑇𝑜𝑝 𝑠 𝑐𝑎𝑐ℎ𝑖𝑛𝑔 𝑝𝑜𝑙𝑖𝑐𝑦 𝑡ℎ𝑒𝑛 𝑏𝑒𝑠𝑡

𝑎𝑡𝑡𝑎𝑐𝑘 𝑖𝑠 𝑠𝑖𝑚𝑝𝑙𝑒 𝑏𝑟𝑢𝑡𝑒 𝑓𝑜𝑟𝑐𝑒 𝑎𝑡𝑡𝑎𝑐𝑘 𝑎𝑔𝑎𝑖𝑛𝑠𝑡 𝑡ℎ𝑒 𝑟𝑒𝑔𝑖𝑠𝑡𝑒𝑟𝑒𝑑 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑
 t-sparse

Attacking TypTop is no easier than attacking

traditional password checkers
TypTop: a smart password checker for Unix

•
•
•
•
•
 TypTop pilot deployment study
•
•
•

•
•
•

A smart password checker that lets you make mistakes

TypTop in one slide
•

•
Adaptive typo-tolerance | Secure version
D( E 𝑠𝑘 ) ℰ(𝑝𝑘, (ℰ, 𝒟):

E 𝑠𝑘

𝑝𝑘

𝒟( 𝑠𝑘 , )
Adaptive typo-tolerance | Secure version
D( E 𝑠𝑘 ) (ℰ, 𝒟):

D( E 𝑠𝑘 )

𝑝𝑘


Cache inclusion function and edge weight

𝜏ǁ 𝑤 (𝑤)
෥ 𝑤
෥
Design of TypTop | Login with a typo

 E 𝑠𝑘

E 𝑠𝑘

𝑝𝑘

D( ) ≠⊥

D( ) ≠⊥
 TypTop is as secure as others
•
• Pr [𝑤
෥ ∈ TypoCache of 𝑤]

∀𝑤,
෥ ෍ Pr 𝑤
෥ ∈ 𝑇𝑦𝑝𝑜𝐶𝑎𝑐ℎ𝑒 of 𝑤 ≤ 0.67
𝑤∈ RockYou.100K

• RockYou. 100K 105

Offline guessing game for artificial distribution
 Cache inclusion function
TypoCacheOf(𝑤)
𝑤
𝑤
𝑤
෥1
𝑡=2
𝑤
෥2
E.g., TypoCacheOf( ) = { }

𝜏ǁ 𝑤 (𝑤)
෥ 𝑤
෥ 𝑤
TypoCacheOf(𝑤) 𝑤
෥
𝑡
t-sparsity

t-sparse
𝑤

𝑤
෥1
∀𝑤,
෥ ෍ 𝜏෤𝑤 (𝑤
෥) ≤ 𝑡 𝑡=2
𝑤
෥2
𝑤

t-sparse 𝑤
𝑤
෥
𝑡

𝜏ǁ 𝑤
Offline guessing game for artificial distribution
Security of TypTop