VaultIME: Regaining User Control For Password Managers through Auto-correction


Users are often educated to follow different forms of advice from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every important website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grant password managers the privilege to automate access to their digital accounts. Likewise, they are worried that individuals close to them may be able to access important websites by using the password manager stealthily. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit with minimal interference with their current usage practices. Instead of “auto-filling” password fields, we propose a new mechanism to “auto-correct” passwords in the presence of minor typos. VaultIME innovates by integrating the functionality of a password manager into an input method editor. Specifically, running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. With respect to usability, VaultIME is able to correct as many as 47.8% of password typos in a real-world password typing dataset. Regarding security, simulated attacks reveal that the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

Security and Privacy in Communication Networks: 13th International Conference, SecureComm 2017
Le Guan
Assistant Professor of Cybersecurity