Improving Usability Through Password-Corrective Hashing Andrew Mehler www.cs.sunysb.edu/~mehler Steven Skiena www.cs.sunysb.edu/~skiena Stony Brook University 13 October 2006

1
Improving Usability Through Password-Corrective
HashingAndrew Mehlerwww.cs.sunysb.edu/mehlerS
teven Skienawww.cs.sunysb.edu/skienaStony
Brook University13 October 2006
2
Password Authentication
User Entry
Password Registry
mehler1979
mehler1979
3
Password Authentication
Users Not Perfect!
User Entry
Password Registry
mehler1997
mehler1979

• Enter wrong password
• Cant remember
• Data Entry error (every 30 keystrokes)

4

• Should passwords with entry errors be accepted?
• Increase Usability.
• Accept close enough strings, little loss of
  security.
• User will choose stronger passwords.
• User wont write down password.

Idea We accept Passwords that differ by a single
error (substitution or transposition). Transposit
ion student -gt studnet Substitution student -gt
studint PROBLEM How to implement this?
5
Solution 1 Repeated Login
For an entered password, simulate login with all
possible passwords differing by a single
transposition or substitution.
aba baa aab abb
User Entry
aba
PROBLEMS
Requires n-1 attempts for transpositions Requires
nm attempts for substitutions
6
Solution 2 Check Equivalence
For an entered password, compare it to the
password on file not just for equality, but if it
differs by a transposition/substitution.
sub?
Password Registry
trans?
User Entry
PROBLEMS

• Password Registry not plain text!
• Cant do transpositions/substitutions on
• encrypted passwords.
• Equality is really encrypted equality.

7
Solution 3 Store All Variants
For each user, store in the encrypted file, their
password, and all acceptable variations.
aba
aba
baa
aab
Password Registry
User Entry
PROBLEMS

• Registry file will be large.
• Malicious decryption easier.

8
Our Solution Corrective Hashing
Reduce password space by a correcting hash
function.
Meh
Meh
h
h
Password Registry
User Entry
Mehler1979
Mehler1997

• Solves problems of previous methods.
• Loss of recall and increase of false positives

9
Password Corrective Hashing

• Want to accept mistakes (recall)
• h(flpajack) h(flapjack)
• Dont accept other strings (false positive rate)
• h(pancake) ? h(flapjack)
• We separately consider correcting single
  transposition errors and single substitution
  errors (most common entry error types)

Notation n password (string) length m
alphabet size
10
Previous Work

• Phonetic Hashing (Soundex, Metaphone, etc.)
• h(Smith) S43 h(Smyth)
• SAMBA repeated login to relax case and
  character order.
• Personal Question Answering.
• Semantic Pass-Phrase.

11
Correcting Transposition Errors
Idea Sort the characters of a password.
h(flpajack) aacfjklp h(flapjack)

• Sorting a string imposes its own order.
• All strings differing by a transposition are the
  same when sorted, so
• Recall 1
• But many False Positives
• h(erika) aeikr h(keira)
• Theorem No other method will have fewer false
  positives with perfect recall

12
Proof
Assume some method M with
recallM 1 fpM lt
fpSort Then there are strings S,T such that
Sort(S) Sort(T) M(S) ? M(T) Thus
there exists a sequence S, s1, s2,
, sj, T With each string differing by a
transposition. (example keira, ekira, eikra,
eirka, erika) Since M(S)?M(T), there is some i
such that M(si) ? M(si1) Contradicting Ms
perfect recall.
13
Partial Sorting

• Sortings high false positive rate makes it
  insecure.
• Can we get a lower false positive rate with
  almost as good recall?
• We consider 2 methods that partially sort a
  string.
• Sorting Networks
• Block Sorting

d
a
a
a
b
d
a
b
d
b
c
b
d
c
c
c
d
a
a
d
b
b
c
c
14
Sorting Networks

• Correct Transpositions
• Impose some order on the string, up to completely
  sorted
• Take output of any stage as an operating point.

6
3
3
1
3
6
2
2
4
2
6
3
2
1
4
3
.
5
1
4
4
1
5
3
4
3
3
5
5
4
4
4
6
15
Sorting Network Analysis

• 1-stage
• All even Transpositions are corrected. Recall is

• 2-stage
• All even transpositions still corrected.
• Some odd transpositions corrected also.
• Consider abcd and acbd.
• Hashed together if a ? b,c ? d

16
Block Sorting

• Partition string into substrings, and sort the
  substrings.
• Will correct all transposition errors except
  those occurring across substrings.

6
6
2
3
3
3
4
4
4
2
2
6
5
5
1
1
1
3
3
3
4
5
4
4
17
Block Sorting Analysis

• Does not correct transpositions across block
  boundaries.
• Recall (n-k)/(n-1)

• False positive if each block is hashed together
  under complete sorting

fp 2k-1?(fpsort(ni)tpsort(ni))
?fpsort(ni)mn-ni
18
Example Domains
Application Password Length (n) Alphabet Size (m)
Logins 8 64
10 32
20 2
WEP Key 10 16
26 16
SSN 9 10
Credit Card 16 10
Names 7 26
19
Correcting Transposition Results
Conclusion Block Sorting can be used to match
passwords, except on small alphabets.
20
Correcting Substitution Errors

• Hi/Low Weakening Partition alphabet into two
  sets.
• Ex Low 0-4 High 5-9
• 1979 -gt LHHH
• Recall (k(k-1) (m-k)(m-k-1)) / m(m-1)
• Weak Set
• A subset of the alphabet is the weak set.
• All members of the weak set get hashed
• to the same symbol.
• Ex Weak-Set a,e,i,o,u
• Lawrence -gt L.wr.nc.
• Recall k(k-1) / m(m-1)

21
Weak Set Results
Conclusion Too insecure for usability gains.
22
Substitution Results
23
Crack Lists
Previous analysis assumed uniform distribution of
passwords. Users tend to use dictionary
words. One common way of breaking into systems
is by using a crack list of common words and
names that might appear in a password. How much
smaller of a crack list would be needed if
corrective hashing was used?
erika keira last salt
h sorting
aeikr alst
24
Crack Lists
lt 13 reduction of crack list for complete
sorting. lt 1 reduction of crack list for 50
recall.
25
Conclusions

• Usability increased with small security trade-off
  for correcting transposition errors
• Substitution errors harder to correct
• Crack list computational cost not significantly
  decreased

• Open Problems
• Better hash functions?
• Correcting insert/deletion errors?
• Empirical usability experiments?