VaultIME: Regaining User Control for Password Managers through Auto-correction

Users are often educated to follow advices from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable when they grant password managers the privilege to automate access to their digital accounts. We propose VaultIME to nudge more users towards the adoption of password managers by offering them a tangible benefit, while only slightly interfering with their current usage practices. Instead of “auto-filling” password fields, we propose to “autocorrect” passwords in case of minor typos. VaultIME integrates the functionality of a password manager into the input method editor. Running as an app on mobile phones, VaultIME remembers user passwords on a per-app basis, and corrects mistyped passwords within a typo-tolerant set. We show that VaultIME achieves high levels of usability and security. Received on 29 March 2018; accepted on 11 April 2018; published on 15 May 2018

[1]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[2]  Kasper Bonne Rasmussen,et al.  On the Security of Password Manager Database Formats , 2012, ESORICS.

[3]  Sergey Maydebura,et al.  Understanding environmental influences on performing password-based mobile authentication , 2013, 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI).

[4]  Prince Owusu-Agyeman,et al.  A Robust Alternative Virtual Key Input Scheme for Virtual Keyboard Systems , 2016 .

[5]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[6]  Shumin Zhai,et al.  The performance of touch screen soft buttons , 2009, CHI.

[7]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[8]  Rika Butler,et al.  The password practices applied by South African online consumers: Perception versus reality , 2015 .

[9]  Thomas Ristenpart,et al.  pASSWORD tYPOS and How to Correct Them Securely , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[10]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[11]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[12]  Jaehyun Park,et al.  Touch key design for target selection on a mobile phone , 2008, Mobile HCI.

[13]  Benjamin Bishop,et al.  Optimizing the android virtual keyboard: A study of user experience , 2013, 2013 IEEE International Conference on Multimedia and Expo Workshops (ICMEW).

[14]  Shumin Zhai,et al.  The metropolis keyboard - an exploration of quantitative techniques for virtual keyboard design , 2000, UIST '00.

[15]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[16]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[17]  Alfred Kobsa,et al.  Counteracting the Negative Effect of Form Auto-completion on the Privacy Calculus , 2013, ICIS.

[18]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..