VaultIME: Regaining user control for password managers through auto-correction

Le Guan; Sadegh Farhang; Yu Pu; Pinyao Guo; Jens Grossklags; Peng Liu

doi:10.1007/978-3-319-78813-5_35

VaultIME: Regaining user control for password managers through auto-correction

Le Guan, Sadegh Farhang, Yu Pu, Pinyao Guo, Jens Grossklags, Peng Liu

Informatics 24 - Associate Professorship of Cyber Trust

The Pennsylvania State University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

Original language	English
Title of host publication	Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings
Editors	Ali Ghorbani, Xiaodong Lin, Kui Ren, Sencun Zhu, Aiqing Zhang
Publisher	Springer Verlag
Pages	673-686
Number of pages	14
ISBN (Print)	9783319788128
DOIs	https://doi.org/10.1007/978-3-319-78813-5_35
State	Published - 2018
Event	13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 - [state] ON, Canada Duration: 22 Oct 2017 → 25 Oct 2017

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	238
ISSN (Print)	1867-8211

Conference

Conference	13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017
Country/Territory	Canada
City	[state] ON
Period	22/10/17 → 25/10/17

Keywords

Auto-correction
IME
Password manager
Usable security

Access to Document

10.1007/978-3-319-78813-5_35

Cite this

Guan, L., Farhang, S., Pu, Y., Guo, P., Grossklags, J., & Liu, P. (2018). VaultIME: Regaining user control for password managers through auto-correction. In A. Ghorbani, X. Lin, K. Ren, S. Zhu, & A. Zhang (Eds.), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings (pp. 673-686). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238). Springer Verlag. https://doi.org/10.1007/978-3-319-78813-5_35

Guan, Le ; Farhang, Sadegh ; Pu, Yu et al. / VaultIME : Regaining user control for password managers through auto-correction. Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. editor / Ali Ghorbani ; Xiaodong Lin ; Kui Ren ; Sencun Zhu ; Aiqing Zhang. Springer Verlag, 2018. pp. 673-686 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{e360017ca3ce439db56a8565418615b6,

title = "VaultIME: Regaining user control for password managers through auto-correction",

abstract = "Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.",

keywords = "Auto-correction, IME, Password manager, Usable security",

author = "Le Guan and Sadegh Farhang and Yu Pu and Pinyao Guo and Jens Grossklags and Peng Liu",

note = "Publisher Copyright: {\textcopyright} ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.; 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017 ; Conference date: 22-10-2017 Through 25-10-2017",

year = "2018",

doi = "10.1007/978-3-319-78813-5_35",

language = "English",

isbn = "9783319788128",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer Verlag",

pages = "673--686",

editor = "Ali Ghorbani and Xiaodong Lin and Kui Ren and Sencun Zhu and Aiqing Zhang",

booktitle = "Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings",

}

Guan, L, Farhang, S, Pu, Y, Guo, P, Grossklags, J & Liu, P 2018, VaultIME: Regaining user control for password managers through auto-correction. in A Ghorbani, X Lin, K Ren, S Zhu & A Zhang (eds), Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 238, Springer Verlag, pp. 673-686, 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017, [state] ON, Canada, 22/10/17. https://doi.org/10.1007/978-3-319-78813-5_35

VaultIME: Regaining user control for password managers through auto-correction. / Guan, Le; Farhang, Sadegh; Pu, Yu et al.
Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. ed. / Ali Ghorbani; Xiaodong Lin; Kui Ren; Sencun Zhu; Aiqing Zhang. Springer Verlag, 2018. p. 673-686 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 238).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - VaultIME

T2 - 13th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2017

AU - Guan, Le

AU - Farhang, Sadegh

AU - Pu, Yu

AU - Guo, Pinyao

AU - Grossklags, Jens

AU - Liu, Peng

N1 - Publisher Copyright: © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.

PY - 2018

Y1 - 2018

N2 - Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

AB - Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

KW - Auto-correction

KW - IME

KW - Password manager

KW - Usable security

UR - http://www.scopus.com/inward/record.url?scp=85045980060&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-78813-5_35

DO - 10.1007/978-3-319-78813-5_35

M3 - Conference contribution

AN - SCOPUS:85045980060

SN - 9783319788128

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 673

EP - 686

BT - Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings

A2 - Ghorbani, Ali

A2 - Lin, Xiaodong

A2 - Ren, Kui

A2 - Zhu, Sencun

A2 - Zhang, Aiqing

PB - Springer Verlag

Y2 - 22 October 2017 through 25 October 2017

ER -

Guan L, Farhang S, Pu Y, Guo P, Grossklags J, Liu P. VaultIME: Regaining user control for password managers through auto-correction. In Ghorbani A, Lin X, Ren K, Zhu S, Zhang A, editors, Security and Privacy in Communication Networks - 13th International Conference, SecureComm 2017, Proceedings. Springer Verlag. 2018. p. 673-686. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-319-78813-5_35

VaultIME: Regaining user control for password managers through auto-correction

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this