VaultIME: Regaining User Control For Password Managers through Auto-correction


Users are often educated to follow different forms of advice from securityexperts. For example, using a password manager is considered an effective wayto maintain a unique and strong password for every important website. However,user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable or even threatened, when they grantpassword managers the privilege to automate access to their digital accounts.Likewise, they are worried that individuals close to them may be able toaccess important websites by using the password manager stealthily.We propose VaultIME to nudge more users towards the adoption ofpassword managers by offering them a tangible benefit with minimalinterference with their current usage practices. Instead of “auto-filling”password fields, we propose a new mechanism to “auto-correct” passwords inthe presence of minor typos. VaultIME innovates by integrating thefunctionality of a password manager into an input method editor. Specifically,running as an app on mobile phones, VaultIME remembers user passwords on aper-app basis, and corrects mistyped passwords within a typo-tolerant set. Weshow that VaultIME achieves high levels of usability and security. Withrespect to usability, VaultIME is able to correct as many as 47.8% of passwordtypos in a real-world password typing dataset. Regarding security, simulated attacks revealthat the security loss brought by VaultIME against a brute-force attacker is at most 0.43%.

Security and Privacy in Communication Networks: 13th International Conference, SecureComm 2017