A smart password checker that lets you make mistakes
Mistyping your password leads to failed logins and time wasted. Prior study has shown 3% of all users are prevented from logging in due to some simply correctable typos, such as accidentally tapping on the caps-lock key. This is not only frustrating, but can also have a negative effect on users’ security practices. Less secure (but easier to type) passwords might seem more appealing, and users might be discouraged from locking their computers.
With this in mind, we built TypTop, a secure personalized typo-tolerant password checker for your MAC or Linux computer. It lets you focus on more important things than retyping your login password.
TypTop offers typo-tolerance tailored to you. It learns the typos that you make most frequently and allows you to log in under a small handful of these typos. Security isn't sacrificed. TypTop performs a number of safety checks before allowing authentication under a given typo to ensure this will not degrade security. We've conducted an in-depth analysis to prove that TypTop is as secure as a conventional password-based authentication.
Currently TypTop can be used in Unix based systems including Mac OSX and Linux distributions. We have precompiled packages for many systems. See if you can find yours in latest releases. The installation should be straightforward—download the binary, click on it, and follow the onscreen instructions. Otherwise you can compile it in your machine from the source. That's right: TypTop is open source software distributed under the MIT license.
Once installed successfully, TypTop should register itself
with the
pluggable
authentication module (PAM), so
that it is invoked for all PAM based authentications requiring a password
to be typed.
It securely records typographical errors and enables login
with common
typos as it learns about them. If you are eager to check
whether
or not it is working, you can lock the screen and re-login
first with the correct
password, and then with a typo by adding '1' at the end of
your
password. For example, say your password is
KuteCitten
, try to log in with
KuteCitten1
. If you can login with the mistyped
password, then TypTop
is working fine!
You can do the same experiment in the terminal with the
command 'su'; type su $USER
,
in the terminal, type the correct password for the first
time, and next time try a typo of it
as described above.
We are conducting a short survey about users' password habits, and request you fill it in. Check below for more details.
To uninstall, you have to open the terminal and type the
following command,
sudo typtop --uninstall
.
TypTop is a new kind of a password checker that learns about your old password typing mistakes, and lets you login with the typos that you frequently make—if it is safe to do so. We only allow typos that are very close to your original password (i.e., off by one character) and that do not degrade unpredictability of the password by too great an amount. To achieve this, TypTop uses a new kind of encrypted cache to store recent incorrect entries, and unlocks these upon a correct entry of the password. Incorrect entries that satisfy TypTop's safety checks are then securely hashed and added to a set of allowable login passwords. On subsequent logins, TypTop not only checks the original password, but also checks against the entire set of allowed passwords. If any match, then login is allowed. All sensitive data (your password and typos of it) are stored in secured form on your system.
All this is presented in detail and analyzed in an academic research paper. We will post it here soon. The code for TypTop is open source as well, and we welcome any feedback on it.
TypTop is a research prototype and while our initial pilot deployment has evidenced its efficacy for users that make typos frequently, we need data from a larger set of users to understand what fraction of users benefit from TypTop's design. We therefore have built into TypTop an anonymized and secure feedback mechanism, similar to how most modern software reports back to the designers information useful for improving the system. There is absolutely no way to utilize the collected data to learn about your password or other sensitive information!
We do not record IP addresses or any other
information about the system from which an anonymous report
is collected. In fact we will not
even be able to associate data collected to individual
installations.
For each login we collect:
On installation of TypTop, you are included in the
study by default.
You can opt out of the study at any time without affecting
the functionality of TypTop by
running the following command (in the terminal): typtop --participate $USER no
The data collected will only ever be used by our research team to understand the efficacy of TypTop. We may publish summary statistics (e.g., average improvement to login efficacy) in future research papers. The collected data will never be released publicly.
We are also conducting an anonymous, short survey on users' password typing behaviors, if you are interested in helping us out by taking it.
Kutecitten
versus
the real password KuteCitten
.
Second, we ensure that a typo does not collide with an
easy-to-guess password, by ruling out
typos
that have low scores on state-of-the-art industry
strength meters (we use
Dropbox's zxcvbn). Third, we make sure that a
typo does not degrade the guessability of your real
password, again by ensuring that the drop in score under
a strength meter is not too large.
For example, if your real password is
Pa%ssword
, then Password
is not an allowed typo, as the later is much easier to
guess than the former. These
restrictions,
taken together, ensure that typos will not be much
easier to guess than your actual password.
auth include
typtop-auth
from all files in /etc/pam.d
.
Alternatively, you can uninstall using the command
sudo typtop --uninstall
in the
terminal in recovery mode.