skip to main content
10.1145/3688459.3688461acmotherconferencesArticle/Chapter ViewAbstractPublication PageseurousecConference Proceedingsconference-collections
research-article

"I'm going to try her birthday": Investigating How Friends Guess Each Other's Smartphone Unlock PINs in the Lab

Published: 20 November 2024 Publication History

Abstract

Despite the recent popularity of biometrics for smartphone unlocking, knowledge-based authentication schemes (e.g. PINs) remain crucial for smartphone security, and are typically required when the device restarts or the biometric fails. Previous studies on PINs assume an attacker without any personal information about the victim, with many often speculating that an attacker with some personal information of the victim (e.g., a friend) might fare better when guessing their smartphone unlock PINs. However, no study has investigated this yet, despite friends or partners being those most likely to attempt PIN guessing. In this work, we explore how attackers that have some personal information or relationship with the victim guess smartphone unlock credentials by recruiting 9 pairs of participants (n = 18) that have some relationship to guess each others’ PINs or passwords in an in-person, lab experiment. We find that most participants’ initial guessing strategies are birthdays as well as modifications of these birthdays, followed by geometric patterns and repetitions. In contrast, most participants indicated they would try random numbers or common PINs for strangers. While no participant was able to guess another participant’s PIN, about half indicated they would not change their PIN or password even if it was guessed by their study partner. We additionally combine participants’ guesses to guess PINs selected in a prior study, finding that our participants’ guesses perform similarly to the optimized simulated attackers used in previous work. We conclude with takeaways and interesting directions for future research.

References

[1]
Yomna Abdelrahman, Mohamed Khamis, Stefan Schneegass, and Florian Alt. 2017. Stay Cool! Understanding Thermal Attacks on Mobile-Based User Authentication. In ACM Conference on Human Factors in Computing Systems(CHI ’17). ACM, Denver, Colorado, USA, 3751–3763.
[2]
Yusuf Albayram, Mohammad Maifi Hasan Khan, Theodore Jensen, and Nhan Nguyen. 2017. “...better to use a lock screen than to worry about saving a few seconds of time”: Effect of Fear Appeal in the Context of Smartphone Locking Behavior. In Symposium on Usable Privacy and Security(SOUPS ’17). USENIX, Santa Clara, California, USA, 49–63.
[3]
Daniel Amitay. 2011. Most Common iPhone Passcodes. http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes, as of 2024/08/27 09:51:58.
[4]
Panagiotis Andriotis, George Oikonomou, Alexios Mylonas, and Theo Tryfonas. 2016. A Study on Usability and Security Features of the Android Pattern Lock Screen. Information and Computer Security 24, 1 (March 2016), 53–72.
[5]
Panagiotis Andriotis, Theo Tryfonas, and George Oikonomou. 2014. Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method. In Conference on Human Aspects of Information Security, Privacy and Trust(HAS ’14). Springer, Heraklion, Crete, Greece, 115–126.
[6]
Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, and Can Yildiz. 2013. A Pilot Study on the Security of Pattern Screen-Lock Methods and Soft Side Channel Attacks. In ACM Conference on Security and Privacy in Wireless and Mobile Networks(WiSec ’13). ACM, Budapest, Hungary, 1–6.
[7]
Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. 2015. Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android’s Pattern Unlock. In Annual Computer Security Applications Conference(ACSAC ’15). ACM, Los Angeles, California, USA, 301–310.
[8]
Adam J. Aviv, John T. Davin, Flynn Wolf, and Ravi Kuber. 2017. Towards Baselines for Shoulder Surfing on Mobile Authentication. In Annual Conference on Computer Security Applications(ACSAC ’17). ACM, Orlando, Florida, USA, 486–498.
[9]
Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge Attacks on Smartphone Touch Screens. In USENIX Workshop on Offensive Technologies(WOOT ’10). USENIX, Washington, District of Columbia, USA, 1–7.
[10]
Adam J. Aviv, Flynn Wolf, and Ravi Kuber. 2018. Comparing Video Based Shoulder Surfing with Live Simulation and Towards Baselines for Shoulder Surfing on Mobile Authentication. In Annual Conference on Computer Security Applications(ACSAC ’18). ACM, San Juan, Puerto Rico, USA, 453–466.
[11]
Daniel V Bailey, Collins W Munyendo, Hunter A Dyer, Miles Grant, Philipp Markert, and Adam J Aviv. 2023. “Someone Definitely Used 0000”’: Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-Guessers. In Proc. EuroUSEC.
[12]
Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2015. Passwords and the evolution of imperfect authentication. Commun. ACM 58, 7, 78–87.
[13]
Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012. A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. In Financial Cryptography and Data Security(FC ’12). Springer, Kralendijk, Bonaire, 25–40.
[14]
Maria Casimiro, Joe Segel, Lewei Li, Yigeng Wang, and Lorrie Faith Cranor. 2020. A Quest for Inspiration: How Users Create and Reuse PINs. In Who Are You?! Adventures in Authentication Workshop(WAY ’20). Virtual Conference, 1–7.
[15]
Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The Tangled Web of Password Reuse. In Symposium on Network and Distributed System Security(NDSS ’14). ISOC, San Diego, California, USA.
[16]
Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. 2014. Now You See Me, Now You Don’t: Protecting Smartphone Authentication from Shoulder Surfers. In ACM Conference on Human Factors in Computing Systems(CHI ’14). ACM, Toronto, Ontario, Canada, 2937–2946.
[17]
Serge Egelman, Sakshi Jain, Rebecca S Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are you ready to lock?. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 750–761.
[18]
Federal Trade Commission. 2022. How to Protect Your Phone from Hackers. https://consumer.ftc.gov/articles/how-protect-your-phone-hackers
[19]
Małgorzata Figurska, Maciej Stańczyk, and Kamil Kulesza. 2008. Humans cannot consciously generate random numbers sequences: Polemic study. Medical hypotheses 70, 1 (2008), 182–185.
[20]
Marte Løge, Markus Dürmuth, and Lillian Røstad. 2016. On User Choice for Android Unlock Patterns. In European Workshop on Usable Security(EuroUSEC ’16). ISOC, Darmstadt, Germany.
[21]
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. 2020. This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs. In IEEE Symposium on Security and Privacy(SP ’20). IEEE, San Francisco, California, USA, 286–303.
[22]
Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. 2021. On the Security of Smartphone Unlock PINs. ACM Transactions on Privacy and Security 24, 4 (Nov. 2021), 30:1–30:36.
[23]
Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and Inter-Rater Reliability in Qualitative Research: Norms and Guidelines for CSCW and HCI Practice. Proc. ACM Hum.-Comput. Interact., Article 72 (2019), 23 pages.
[24]
William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and Security of Text Passwords on Mobile Devices. In ACM Conference on Human Factors in Computing Systems(CHI ’16). ACM, San Jose, California, USA, 527–539.
[25]
Collins W. Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, and Adam J. Aviv. 2021. Using a Blocklist to Improve the Security of User Selection of Android Patterns. In Symposium on Usable Privacy and Security(SOUPS ’21). USENIX, Virtual Conference, 37–56.
[26]
Collins W. Munyendo, Philipp Markert, Alexandra Nisenoff, Miles Grant, Elena Korkes, Blase Ur, and Adam J. Aviv. 2022. “The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 Digits. In USENIX Security Symposium(SSYM ’22). USENIX, Boston, Massachusetts, USA.
[27]
Bijeeta Pal, Tal Daniel, Rahul Chatterjee, and Thomas Ristenpart. 2019. Beyond Credential Stuffing: Password Similarity Models using Neural Networks. In IEEE Symposium on Security and Privacy(SP ’19). IEEE, San Francisco, California, USA, 866–883.
[28]
Kathryn Roulston. 2014. Analysing interviews. The SAGE handbook of qualitative data analysis.
[29]
Raina Samuel, Philipp Markert, Adam J. Aviv, and Iulian Neamtiu. 2020. Knock, Knock. Who’s There? On the Security of LG’s Knock Codes. In Symposium on Usable Privacy and Security(SOUPS ’20). ACM, Virtual Conference, 37–59.
[30]
Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password Entry Usability and Shoulder Surfing Susceptibility on Different Smartphone Platforms. In International Conference on Mobile and Ubiquitous Multimedia(MUM ’12). ACM, Ulm, Germany, 13:1–13:10.
[31]
Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In ACM Conference on Computer and Communications Security(CCS ’13). ACM, Berlin, Germany, 161–172.
[32]
Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In ACM Conference on Human Factors in Computing Systems(CHI ’15). ACM, Seoul, Republic of Korea, 2339–2342.
[33]
Emanuel von Zezschwitz, Malin Eiband, Daniel Buschek, Sascha Oberhuber, Alexander De Luca, Florian Alt, and Heinrich Hussmann. 2016. On Quantifying the Effective Passsword Space of Grid-Based Unlock Gestures. In Conference on Mobile and Ubiquitous Multimedia(MUM ’16). ACM, Rovaniemi, Finland, 201–212.
[34]
Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang. 2018. The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services. In ACM Conference on Data and Application Security and Privacy(CODASPY ’18). ACM, Tempe, Arizona, USA, 196–203.
[35]
Ding Wang, Qianchen Gu, Xinyi Huang, and Ping Wang. 2017. Understanding Human-Chosen PINs: Characteristics, Distribution and Security. In ACM Asia Conference on Computer and Communications Security(ASIA CCS ’17). ACM, Abu Dhabi, United Arab Emirates, 372–385.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
EuroUSEC '24: Proceedings of the 2024 European Symposium on Usable Security
September 2024
361 pages
ISBN:9798400717963
DOI:10.1145/3688459
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 November 2024

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

EuroUSEC 2024
EuroUSEC 2024: The 2024 European Symposium on Usable Security
September 30 - October 1, 2024
Karlstad, Sweden

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 48
    Total Downloads
  • Downloads (Last 12 months)48
  • Downloads (Last 6 weeks)10
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

Full Text

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media