{"id":"https://openalex.org/W3212969377","doi":"https://doi.org/10.1145/3460120.3484791","title":"Don't Forget the Stuffing! Revisiting the Security Impact of Typo-Tolerant Password Authentication","display_name":"Don't Forget the Stuffing! Revisiting the Security Impact of Typo-Tolerant Password Authentication","publication_year":2021,"publication_date":"2021-11-12","ids":{"openalex":"https://openalex.org/W3212969377","doi":"https://doi.org/10.1145/3460120.3484791","mag":"3212969377"},"language":"en","primary_location":{"id":"doi:10.1145/3460120.3484791","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484791","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5006274286","display_name":"Sena \u015eahin","orcid":"https://orcid.org/0009-0009-1090-2044"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Sena Sahin","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5050884723","display_name":"Frank Li","orcid":"https://orcid.org/0000-0003-2242-048X"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Frank Li","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5006274286"],"corresponding_institution_ids":["https://openalex.org/I130701444"],"apc_list":null,"apc_paid":null,"fwci":2.7541,"has_fulltext":false,"cited_by_count":13,"citation_normalized_percentile":{"value":0.91870903,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"252","last_page":"270"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9882000088691711,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10828","display_name":"Biometric Identification and Security","score":0.9621999859809875,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.8849067687988281},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7299767732620239},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.7038350105285645},{"id":"https://openalex.org/keywords/password-policy","display_name":"Password policy","score":0.6668568253517151},{"id":"https://openalex.org/keywords/cognitive-password","display_name":"Cognitive password","score":0.661584734916687},{"id":"https://openalex.org/keywords/password-strength","display_name":"Password strength","score":0.6613500118255615},{"id":"https://openalex.org/keywords/one-time-password","display_name":"One-time password","score":0.6091947555541992},{"id":"https://openalex.org/keywords/s/key","display_name":"S/KEY","score":0.5784868001937866},{"id":"https://openalex.org/keywords/password-cracking","display_name":"Password cracking","score":0.5462964177131653},{"id":"https://openalex.org/keywords/credential","display_name":"Credential","score":0.43002229928970337},{"id":"https://openalex.org/keywords/zero-knowledge-password-proof","display_name":"Zero-knowledge password proof","score":0.428540974855423},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.4108179211616516}],"concepts":[{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.8849067687988281},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7299767732620239},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7038350105285645},{"id":"https://openalex.org/C98705547","wikidata":"https://www.wikidata.org/wiki/Q3394687","display_name":"Password policy","level":4,"score":0.6668568253517151},{"id":"https://openalex.org/C23875713","wikidata":"https://www.wikidata.org/wiki/Q5141232","display_name":"Cognitive password","level":5,"score":0.661584734916687},{"id":"https://openalex.org/C70530487","wikidata":"https://www.wikidata.org/wiki/Q1990841","display_name":"Password strength","level":4,"score":0.6613500118255615},{"id":"https://openalex.org/C89479133","wikidata":"https://www.wikidata.org/wiki/Q1137840","display_name":"One-time password","level":3,"score":0.6091947555541992},{"id":"https://openalex.org/C4957475","wikidata":"https://www.wikidata.org/wiki/Q242186","display_name":"S/KEY","level":3,"score":0.5784868001937866},{"id":"https://openalex.org/C3847113","wikidata":"https://www.wikidata.org/wiki/Q2746524","display_name":"Password cracking","level":5,"score":0.5462964177131653},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.43002229928970337},{"id":"https://openalex.org/C188615804","wikidata":"https://www.wikidata.org/wiki/Q8069448","display_name":"Zero-knowledge password proof","level":5,"score":0.428540974855423},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.4108179211616516}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3460120.3484791","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484791","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.5600000023841858,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G4892121016","display_name":null,"funder_award_id":"2055549","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":26,"referenced_works":["https://openalex.org/W1548573590","https://openalex.org/W1987516957","https://openalex.org/W2030112111","https://openalex.org/W2050296478","https://openalex.org/W2055147133","https://openalex.org/W2073342447","https://openalex.org/W2091833612","https://openalex.org/W2099419188","https://openalex.org/W2513151097","https://openalex.org/W2538793708","https://openalex.org/W2683619959","https://openalex.org/W2765227388","https://openalex.org/W2765667105","https://openalex.org/W2765986046","https://openalex.org/W2793573497","https://openalex.org/W2891114826","https://openalex.org/W2931153881","https://openalex.org/W2947740622","https://openalex.org/W2965442679","https://openalex.org/W2969892291","https://openalex.org/W2983838566","https://openalex.org/W2987263720","https://openalex.org/W3023255879","https://openalex.org/W3025578853","https://openalex.org/W4285719527","https://openalex.org/W4299301436"],"related_works":["https://openalex.org/W2969720675","https://openalex.org/W1982158666","https://openalex.org/W3131491961","https://openalex.org/W2017283799","https://openalex.org/W2953105088","https://openalex.org/W1995890708","https://openalex.org/W1970072309","https://openalex.org/W4302810031","https://openalex.org/W2596766976","https://openalex.org/W2054626033"],"abstract_inverted_index":{"To":[0,145],"enhance":[1],"the":[2,15,27,78,88,128,174,195],"usability":[3],"of":[4,81,92,131,183],"password":[5,8,47,70,83,97,107,132,135,185],"authentication,":[6,186],"typo-tolerant":[7,69,82,184],"authentication":[9,57,71,108],"schemes":[10],"permit":[11],"certain":[12],"deviations":[13],"in":[14,120,143],"user-supplied":[16],"password,":[17],"to":[18,29,54],"account":[19],"for":[20,180,190],"common":[21],"typographical":[22],"errors":[23],"yet":[24,49],"still":[25],"allow":[26],"user":[28],"successfully":[30],"log":[31],"in.":[32],"In":[33,59,73],"prior":[34],"work,":[35],"analysis":[36,91],"by":[37,163],"Chatterjee":[38],"et":[39],"al.":[40],"demonstrated":[41],"that":[42,87,154],"typo-tolerance":[43,133],"indeed":[44],"notably":[45],"improves":[46],"usability,":[48],"(surprisingly)":[50],"does":[51],"not":[52],"appear":[53],"significantly":[55,140],"degrade":[56],"security.":[58,144],"practice,":[60],"major":[61],"web":[62],"services":[63],"such":[64,93],"as":[65,106],"Facebook":[66],"have":[67],"employed":[68],"systems.":[72],"this":[74,101,147],"paper,":[75],"we":[76,125,149],"revisit":[77],"security":[79,90,129,159,196],"impact":[80,130],"authentication.":[84],"We":[85],"observe":[86],"existing":[89],"systems":[94,109],"considers":[95],"only":[96],"spraying":[98],"attacks.":[99,118],"However,":[100],"threat":[102],"model":[103],"is":[104,160],"incomplete,":[105],"must":[110],"also":[111],"contend":[112],"with":[113],"credential":[114],"stuffing":[115],"and":[116],"tweaking":[117],"Factoring":[119],"these":[121],"missing":[122],"attack":[123],"vectors,":[124],"empirically":[126],"re-evaluate":[127],"using":[134],"leak":[136],"datasets,":[137],"discovering":[138],"a":[139,157],"larger":[141],"degradation":[142],"mitigate":[146],"issue,":[148],"explore":[150],"machine":[151],"learning":[152],"classifiers":[153],"predict":[155],"when":[156],"password's":[158],"likely":[161],"affected":[162],"typo-tolerance.":[164],"Our":[165],"resulting":[166],"models":[167],"offer":[168],"various":[169],"suitable":[170],"operating":[171],"points":[172],"on":[173],"functionality-security":[175],"tradeoff":[176],"spectrum,":[177],"ultimately":[178],"allowing":[179],"partial":[181],"deployment":[182],"preserving":[187],"its":[188],"functionality":[189],"many":[191],"users":[192],"while":[193],"reducing":[194],"risks.":[197]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":6},{"year":2022,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}