Client-side hashing for efficient typo-tolerant password checkers

Abstract

Credential leaks still happen with regular frequency, and show evidence that, despite decades of warnings, password hashing is still not correctly implemented in practice. The common practice today, inherited from previous but obsolete constraints, is to transmit the password in cleartext to the server, where it is hashed and stored. This allows some usability improvements, such as typo-tolerant password checkers — which can correct up to 32% of typos, with no negative impact on security — formally introduced by Chatterjee et al. in 2016, but used in some preliminary forms since 2012. This article investigates the advantages and drawbacks of the alternative of hashing client-side, and shows that it is present today exclusively on Chinese websites. It introduces an alternative typo-correction framework based on client-side hashing, which corrects up to 57% of typos without affecting user experience, at no computational cost to the server. Finally, it proposes some potential ways to improve the industry standards by enforcing accountability on password security.