Skip to main content
SpringerLink
Log in

What’s in a Name?

Evaluating Statistical Attacks on Personal Knowledge Questions

  • Conference paper
Financial Cryptography and Data Security (FC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6052))

Included in the following conference series:

Abstract

We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ballard, L., Kamara, S., Reiter, M.K.: The Practical Subtleties of Biometric Key Generation. In: SS 2008: Proceedings of the 17th Conference on Security, Berkeley, CA, USA, pp. 61–74. USENIX Association (2008)

    Google Scholar 

  2. Bentley, J., Mallows, C.: How Much Assurance Does a PIN Provide? In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 111–126. Springer, Heidelberg (2005)

    Google Scholar 

  3. Boztas, S.: Entropies, Guessing, and Cryptography. Technical Report 6, Department of Mathematics, Royal Melbourne Institute of Technology (1999)

    Google Scholar 

  4. Cachin, C.: Entropy measures and unconditional security in cryptography. PhD thesis, ETH Zürich (1997)

    Google Scholar 

  5. Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. In: BCS-HCI 2008: Proceedings of the 22nd British HCI Group Annual Conference on HCI 2008, Swinton, UK, UK, pp. 121–130. British Computer Society (2008)

    Google Scholar 

  6. Davis, D., Monrose, F., Reiter, M.K.: On User Choice in Graphical Password Schemes. In: SSYM 2004: Proceedings of the 13th Conference on USENIX Security Symposium, Berkeley, CA, USA, p. 11. USENIX Association (2004)

    Google Scholar 

  7. Dragomir, S.S., Boztas, S.: Some estimates of the average number of guesses to determine a random variable. In: Proceedings of the 1997 IEEE International Symposium on Information Theory, p. 159 (1997)

    Google Scholar 

  8. Ellison, C., Hall, C., Milbert, R., Schneier, B.: Protecting Secret Keys with Personal Entropy. Future Gener. Comput. Syst. 16(4), 311–318 (2000)

    Article  Google Scholar 

  9. Forget, A., Chiasson, S., van Oorschot, P.C., Biddle, R.: Improving Text Passwords Through Persuasion. In: SOUPS 2008: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 1–12. ACM, New York (2008)

    Chapter  Google Scholar 

  10. Fox, W.R., Lasker, G.W.: The Distribution of Surname Frequencies. International Statistical Review, 81–87 (1983)

    Google Scholar 

  11. Frykholm, N., Juels, A.: Error-tolerant password recovery. In: CCS 2001: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 1–9. ACM, New York (2001)

    Chapter  Google Scholar 

  12. Griffith, V., Jakobsson, M.: Messin’ with Texas: Deriving Mother’s Maiden Names Using Public Records. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 91–103. Springer, Heidelberg (2005)

    Google Scholar 

  13. Haga, W.J., Zviran, M.: Question-and-answer passwords: an empirical evaluation. Inf. Syst. 16(3), 335–343 (1991)

    Article  Google Scholar 

  14. Jakobsson, M., Yang, L., Wetzel, S.: Quantifying the Security of Preference-based Authentication. In: DIM 2008: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 61–70. ACM, New York (2008)

    Chapter  Google Scholar 

  15. Just, M., Aspinall, D.: Personal choice and challenge questions: A security and usability assessment. In: Cranor, L. (ed.) SOUPS, ACM International Conference Proceeding Series. ACM, New York (2009)

    Google Scholar 

  16. Klein, D.: “Foiling the Cracker”: A Survey of, and Improvements to, Password Security. In: Proceedings of the 2nd USENIX Security Workshop, pp. 5–14 (1990)

    Google Scholar 

  17. Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-based Passwords. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 67–78. ACM, New York (2006)

    Chapter  Google Scholar 

  18. Lindamood, J., Kantarcioglu, M.: Inferring Private Information Using Social Network Data. Technical Report UTDCS-21-08, University of Texas at Dallas Computer Science Department (July 2008)

    Google Scholar 

  19. Malone, D., Sullivan, W.G.: Guesswork and Entropy. In: Proceedings of the 2004 IEEE International Symposium on Information Theory, vol. 50 (2004)

    Google Scholar 

  20. Massey, J.L.: Guessing and Entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204 (1994)

    Google Scholar 

  21. O’Gorman, L., Bagga, A., Bentley, J.L.: Call Center Customer Verification by Query-Directed Passwords. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 54–67. Springer, Heidelberg (2004)

    Google Scholar 

  22. van Oorschot, P.C., Thorpe, J.: On Predictive Models and User-Drawn Graphical Passwords. ACM Trans. Inf. Syst. Secur. 10(4), 1–33 (2008)

    Article  Google Scholar 

  23. Pliam, J.O.: On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)

    Google Scholar 

  24. Pond, R., Podd, J., Bunnell, J., Henderson, R.: Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates. Computers & Security 19(7), 645–656 (2000)

    Article  Google Scholar 

  25. Rabkin, A.: Personal knowledge questions for fallback authentication: Security questions in the era of Facebook. In: Cranor, L.F. (ed.) SOUPS, ACM International Conference Proceeding Series, pp. 13–23. ACM, New York (2008)

    Google Scholar 

  26. Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret: Measuring the security and reliability of authentication via ‘secret’ questions. In: IEEE Security and Privacy. IEEE, Los Alamitos (2009)

    Google Scholar 

  27. Schneier, B.: Real-world passwords (December 2006)

    Google Scholar 

  28. Spafford, E.: Observations on Reusable Password Choices. In: Proceedings of the 3rd USENIX Security Workshop (1992)

    Google Scholar 

  29. Thorpe, J., van Oorschot, P.C.: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. In: SS 2007: Proceedings of 16th USENIX Security Symposium, Berkeley, CA, USA. USENIX Association (2007)

    Google Scholar 

  30. Toomim, M., Zhang, X., Fogarty, J., Landay, J.A.: Access Control by Testing for Shared Knowledge. In: Czerwinski, M., Lund, A.M., Tan, D.S. (eds.) CHI, pp. 193–196. ACM, New York (2008)

    Google Scholar 

  31. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security and Privacy Magazine 2(5), 25 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Cambridge,  

    Joseph Bonneau

  2. University of Edinburgh,  

    Mike Just & Greg Matthews

Authors
  1. Joseph Bonneau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mike Just
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Greg Matthews
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, Stony Brook, Stony Brook University, 11794, NY, USA

    Radu Sion

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bonneau, J., Just, M., Matthews, G. (2010). What’s in a Name?. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14577-3_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14576-6

  • Online ISBN: 978-3-642-14577-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation