Welcome to the InfoSci Platform
Client-Side Hashing for Efficient Typo-Tolerant Password Checkers

Client-Side Hashing for Efficient Typo-Tolerant Password Checkers

Enka Blanchard
Copyright: © 2022 |Volume: 13 |Issue: 1 |Pages: 24
ISSN: 2640-4265|EISSN: 2640-4273|EISBN13: 9781683183655|DOI: 10.4018/IJSSSP.302622
Cite Article Cite Article

MLA

Blanchard, Enka. "Client-Side Hashing for Efficient Typo-Tolerant Password Checkers." IJSSSP vol.13, no.1 2022: pp.1-24. http://doi.org/10.4018/IJSSSP.302622

APA

Blanchard, E. (2022). Client-Side Hashing for Efficient Typo-Tolerant Password Checkers. International Journal of Systems and Software Security and Protection (IJSSSP), 13(1), 1-24. http://doi.org/10.4018/IJSSSP.302622

Chicago

Blanchard, Enka. "Client-Side Hashing for Efficient Typo-Tolerant Password Checkers," International Journal of Systems and Software Security and Protection (IJSSSP) 13, no.1: 1-24. http://doi.org/10.4018/IJSSSP.302622

Export Reference

Mendeley
Favorite Full-Issue Download

Abstract

Credential leaks still happen with regular frequency, and show evidence that, despite decades of warnings, password hashing is still not correctly implemented in practice. The common practice today, inherited from previous but obsolete constraints, is to transmit the password in cleartext to the server, where it is hashed and stored. This allows some usability improvements, such as typo-tolerant password checkers — which can correct up to 32% of typos, with no negative impact on security — formally introduced by Chatterjee et al. in 2016, but used in some preliminary forms since 2012. This article investigates the advantages and drawbacks of the alternative of hashing client-side, and shows that it is present today exclusively on Chinese websites. It introduces an alternative typo-correction framework based on client-side hashing, which corrects up to 57% of typos without affecting user experience, at no computational cost to the server. Finally, it proposes some potential ways to improve the industry standards by enforcing accountability on password security.

Request Access

You do not own this content. Please login to recommend this title to your institution's librarian or purchase it from the IGI Global bookstore.