Title: Improving Usability Through Password-Corrective Hashing Andrew Mehler www.cs.sunysb.edu/~mehler Steven Skiena www.cs.sunysb.edu/~skiena Stony Brook University 13 October 2006
1Improving Usability Through Password-Corrective
HashingAndrew Mehlerwww.cs.sunysb.edu/mehlerS
teven Skienawww.cs.sunysb.edu/skienaStony
Brook University13 October 2006
2Password Authentication
User Entry
Password Registry
mehler1979
mehler1979
3Password Authentication
Users Not Perfect!
User Entry
Password Registry
mehler1997
mehler1979
- Enter wrong password
- Cant remember
- Data Entry error (every 30 keystrokes)
4- Should passwords with entry errors be accepted?
- Increase Usability.
- Accept close enough strings, little loss of
security. - User will choose stronger passwords.
- User wont write down password.
Idea We accept Passwords that differ by a single
error (substitution or transposition). Transposit
ion student -gt studnet Substitution student -gt
studint PROBLEM How to implement this?
5Solution 1 Repeated Login
For an entered password, simulate login with all
possible passwords differing by a single
transposition or substitution.
aba baa aab abb
User Entry
aba
PROBLEMS
Requires n-1 attempts for transpositions Requires
nm attempts for substitutions
6Solution 2 Check Equivalence
For an entered password, compare it to the
password on file not just for equality, but if it
differs by a transposition/substitution.
sub?
Password Registry
trans?
User Entry
PROBLEMS
- Password Registry not plain text!
- Cant do transpositions/substitutions on
- encrypted passwords.
- Equality is really encrypted equality.
7Solution 3 Store All Variants
For each user, store in the encrypted file, their
password, and all acceptable variations.
aba
aba
baa
aab
Password Registry
User Entry
PROBLEMS
- Registry file will be large.
- Malicious decryption easier.
8Our Solution Corrective Hashing
Reduce password space by a correcting hash
function.
Meh
Meh
h
h
Password Registry
User Entry
Mehler1979
Mehler1997
- Solves problems of previous methods.
- Loss of recall and increase of false positives
9Password Corrective Hashing
- Want to accept mistakes (recall)
- h(flpajack) h(flapjack)
- Dont accept other strings (false positive rate)
- h(pancake) ? h(flapjack)
- We separately consider correcting single
transposition errors and single substitution
errors (most common entry error types)
Notation n password (string) length m
alphabet size
10Previous Work
- Phonetic Hashing (Soundex, Metaphone, etc.)
- h(Smith) S43 h(Smyth)
- SAMBA repeated login to relax case and
character order. - Personal Question Answering.
- Semantic Pass-Phrase.
11Correcting Transposition Errors
Idea Sort the characters of a password.
h(flpajack) aacfjklp h(flapjack)
- Sorting a string imposes its own order.
- All strings differing by a transposition are the
same when sorted, so - Recall 1
- But many False Positives
- h(erika) aeikr h(keira)
- Theorem No other method will have fewer false
positives with perfect recall
12Proof
Assume some method M with
recallM 1 fpM lt
fpSort Then there are strings S,T such that
Sort(S) Sort(T) M(S) ? M(T) Thus
there exists a sequence S, s1, s2,
, sj, T With each string differing by a
transposition. (example keira, ekira, eikra,
eirka, erika) Since M(S)?M(T), there is some i
such that M(si) ? M(si1) Contradicting Ms
perfect recall.
13Partial Sorting
- Sortings high false positive rate makes it
insecure. - Can we get a lower false positive rate with
almost as good recall? - We consider 2 methods that partially sort a
string. - Sorting Networks
- Block Sorting
d
a
a
a
b
d
a
b
d
b
c
b
d
c
c
c
d
a
a
d
b
b
c
c
14Sorting Networks
- Correct Transpositions
- Impose some order on the string, up to completely
sorted - Take output of any stage as an operating point.
6
3
3
1
3
6
2
2
4
2
6
3
2
1
4
3
.
5
1
4
4
1
5
3
4
3
3
5
5
4
4
4
6
15Sorting Network Analysis
- 1-stage
- All even Transpositions are corrected. Recall is
- 2-stage
- All even transpositions still corrected.
- Some odd transpositions corrected also.
- Consider abcd and acbd.
- Hashed together if a ? b,c ? d
16Block Sorting
- Partition string into substrings, and sort the
substrings. - Will correct all transposition errors except
those occurring across substrings.
6
6
2
3
3
3
4
4
4
2
2
6
5
5
1
1
1
3
3
3
4
5
4
4
17Block Sorting Analysis
- Does not correct transpositions across block
boundaries. - Recall (n-k)/(n-1)
- False positive if each block is hashed together
under complete sorting
fp 2k-1?(fpsort(ni)tpsort(ni))
?fpsort(ni)mn-ni
18Example Domains
Application Password Length (n) Alphabet Size (m)
Logins 8 64
10 32
20 2
WEP Key 10 16
26 16
SSN 9 10
Credit Card 16 10
Names 7 26
19Correcting Transposition Results
Conclusion Block Sorting can be used to match
passwords, except on small alphabets.
20Correcting Substitution Errors
- Hi/Low Weakening Partition alphabet into two
sets. - Ex Low 0-4 High 5-9
- 1979 -gt LHHH
- Recall (k(k-1) (m-k)(m-k-1)) / m(m-1)
- Weak Set
- A subset of the alphabet is the weak set.
- All members of the weak set get hashed
- to the same symbol.
- Ex Weak-Set a,e,i,o,u
- Lawrence -gt L.wr.nc.
- Recall k(k-1) / m(m-1)
21Weak Set Results
Conclusion Too insecure for usability gains.
22Substitution Results
23Crack Lists
Previous analysis assumed uniform distribution of
passwords. Users tend to use dictionary
words. One common way of breaking into systems
is by using a crack list of common words and
names that might appear in a password. How much
smaller of a crack list would be needed if
corrective hashing was used?
erika keira last salt
h sorting
aeikr alst
24Crack Lists
lt 13 reduction of crack list for complete
sorting. lt 1 reduction of crack list for 50
recall.
25Conclusions
- Usability increased with small security trade-off
for correcting transposition errors - Substitution errors harder to correct
- Crack list computational cost not significantly
decreased
- Open Problems
- Better hash functions?
- Correcting insert/deletion errors?
- Empirical usability experiments?