VaultIME

Regaining user control for password managers through auto-correction

Le Guan, Sadegh Farhang, Yu Pu, Pinyao Guo, Jens Grossklags, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings
EditorsAli Ghorbani, Xiaodong Lin, Kui Ren, Sencun Zhu, Aiqing Zhang
PublisherSpringer Verlag
Pages673-686
Number of pages14
ISBN (Print)9783319788128
DOIs
StatePublished - Jan 1 2018
Event13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 - [state] ON, Canada
Duration: Oct 22 2017Oct 25 2017

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume238
ISSN (Print)1867-8211

Other

Other13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017
CountryCanada
City[state] ON
Period10/22/1710/25/17

Fingerprint

Managers
Application programs
Websites
Mobile phones

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Guan, L., Farhang, S., Pu, Y., Guo, P., Grossklags, J., & Liu, P. (2018). VaultIME: Regaining user control for password managers through auto-correction. In A. Ghorbani, X. Lin, K. Ren, S. Zhu, & A. Zhang (Eds.), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings (pp. 673-686). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238). Springer Verlag. https://doi.org/10.1007/978-3-319-78813-5_35
Guan, Le ; Farhang, Sadegh ; Pu, Yu ; Guo, Pinyao ; Grossklags, Jens ; Liu, Peng. / VaultIME : Regaining user control for password managers through auto-correction. Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. editor / Ali Ghorbani ; Xiaodong Lin ; Kui Ren ; Sencun Zhu ; Aiqing Zhang. Springer Verlag, 2018. pp. 673-686 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).
@inproceedings{4705d8f469d1401bac177b20bcd4fcb9,
title = "VaultIME: Regaining user control for password managers through auto-correction",
abstract = "Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8{\%} of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43{\%}.",
author = "Le Guan and Sadegh Farhang and Yu Pu and Pinyao Guo and Jens Grossklags and Peng Liu",
year = "2018",
month = "1",
day = "1",
doi = "10.1007/978-3-319-78813-5_35",
language = "English (US)",
isbn = "9783319788128",
series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",
publisher = "Springer Verlag",
pages = "673--686",
editor = "Ali Ghorbani and Xiaodong Lin and Kui Ren and Sencun Zhu and Aiqing Zhang",
booktitle = "Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings",
address = "Germany",

}

Guan, L, Farhang, S, Pu, Y, Guo, P, Grossklags, J & Liu, P 2018, VaultIME: Regaining user control for password managers through auto-correction. in A Ghorbani, X Lin, K Ren, S Zhu & A Zhang (eds), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 238, Springer Verlag, pp. 673-686, 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017, [state] ON, Canada, 10/22/17. https://doi.org/10.1007/978-3-319-78813-5_35

VaultIME : Regaining user control for password managers through auto-correction. / Guan, Le; Farhang, Sadegh; Pu, Yu; Guo, Pinyao; Grossklags, Jens; Liu, Peng.

Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. ed. / Ali Ghorbani; Xiaodong Lin; Kui Ren; Sencun Zhu; Aiqing Zhang. Springer Verlag, 2018. p. 673-686 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - VaultIME

T2 - Regaining user control for password managers through auto-correction

AU - Guan, Le

AU - Farhang, Sadegh

AU - Pu, Yu

AU - Guo, Pinyao

AU - Grossklags, Jens

AU - Liu, Peng

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

AB - Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

UR - http://www.scopus.com/inward/record.url?scp=85045980060&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045980060&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-78813-5_35

DO - 10.1007/978-3-319-78813-5_35

M3 - Conference contribution

SN - 9783319788128

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 673

EP - 686

BT - Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings

A2 - Ghorbani, Ali

A2 - Lin, Xiaodong

A2 - Ren, Kui

A2 - Zhu, Sencun

A2 - Zhang, Aiqing

PB - Springer Verlag

ER -

Guan L, Farhang S, Pu Y, Guo P, Grossklags J, Liu P. VaultIME: Regaining user control for password managers through auto-correction. In Ghorbani A, Lin X, Ren K, Zhu S, Zhang A, editors, Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Springer Verlag. 2018. p. 673-686. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). https://doi.org/10.1007/978-3-319-78813-5_35