Researchers at Cornell and MIT along with one Dropbox engineer have published a paper (hat tip to ThreatPost) which argues in favor simple autocorrecting measures to reduce the cases of failed logins from typos. They argue that these measures would have no significant impact on security.
The researchers were inspired to investigate this idea after Facebook instituted a system to autocorrect capitalization mistakes when entering passwords. The move was criticized as being bad for security, but the researchers say that initial impression was mistaken. “The consensus at the time was that this was bad for security, and that was certainly our sense, that it would cause problems,” Thomas Ristenpart, one of the researchers on the project, stated, “But if you’re careful about the types of typos you’re correcting, you won’t degrade security.”
The team gathered data using the Dropbox login infrastructure. No passwords were recorded, only the frequency of certain types of mistakes were recorded. The data showed a large proportion of typos were the result of a few simple mistakes. The researchers argue that correcting these mistakes can increase the speed of logging in and create a better experience for the user.
The paper focuses on three common mistakes that can lead to a mistyped password: accidentally engaging capslock, capitalizing just the first letter of a password, and adding or omitting characters at the beginning or end of a password. The paper proposes a “relaxed checker” which starts by checking the password in a normal way, but also checks a small number of modifications to the entered password in order to correct for these common mistakes.
The paper also considers the topic of security. The team proposes the “Free Corrections Theorem” which they say demonstrates the theoretical existence of a perfect autocorrecting password checker which has the same level of security as one with no autocorrection. They also empirically test out some typo correcting systems which already exist, which may be less successful than the theoretically perfect one, but these systems still give almost no benefit to hackers attempting to guess a password.
The researchers admit in the paper that a poorly conceived password checker which accepts too many possibilities as the correct password would indeed compromise security. But they conclude that carefully choosing which errors to correct will create a system that remains secure, while increasing the speed of entering passwords. Ristenpart also stated an interest in developing this research further, to create systems that can correct for transposition errors. This would make it easier on users entering very long passwords.
Do you think autocorrecting passwords is a good idea? Leave your comments below.