What's in a name? Evaluating statistical attacks on personal knowledge questions

Joseph Bonneau, Mike Just, Greg Matthews

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers
Pages98-113
Number of pages16
Volume6052 LNCS
DOIs
StatePublished - 2010
Event14th International Conference on Financial Cryptography and Data Security, FC 2010 - Tenerife, Canary Islands, Spain
Duration: Jan 25 2010Jan 28 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6052 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other14th International Conference on Financial Cryptography and Data Security, FC 2010
CountrySpain
CityTenerife, Canary Islands
Period1/25/101/28/10

Fingerprint

Authentication
Attack
Statistics
Statistical Distribution
Password
Likely
Demonstrate
Knowledge
Human
Graphics
Corpus

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Bonneau, J., Just, M., & Matthews, G. (2010). What's in a name? Evaluating statistical attacks on personal knowledge questions. In Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers (Vol. 6052 LNCS, pp. 98-113). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6052 LNCS). https://doi.org/10.1007/978-3-642-14577-3_10

What's in a name? Evaluating statistical attacks on personal knowledge questions. / Bonneau, Joseph; Just, Mike; Matthews, Greg.

Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers. Vol. 6052 LNCS 2010. p. 98-113 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6052 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bonneau, J, Just, M & Matthews, G 2010, What's in a name? Evaluating statistical attacks on personal knowledge questions. in Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers. vol. 6052 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6052 LNCS, pp. 98-113, 14th International Conference on Financial Cryptography and Data Security, FC 2010, Tenerife, Canary Islands, Spain, 1/25/10. https://doi.org/10.1007/978-3-642-14577-3_10
Bonneau J, Just M, Matthews G. What's in a name? Evaluating statistical attacks on personal knowledge questions. In Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers. Vol. 6052 LNCS. 2010. p. 98-113. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-14577-3_10
Bonneau, Joseph ; Just, Mike ; Matthews, Greg. / What's in a name? Evaluating statistical attacks on personal knowledge questions. Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers. Vol. 6052 LNCS 2010. pp. 98-113 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{83c7166abd1b4feead7ef84fa7efae9a,
title = "What's in a name? Evaluating statistical attacks on personal knowledge questions",
abstract = "We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.",
author = "Joseph Bonneau and Mike Just and Greg Matthews",
year = "2010",
doi = "10.1007/978-3-642-14577-3_10",
language = "English (US)",
isbn = "3642145760",
volume = "6052 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "98--113",
booktitle = "Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers",

}

TY - GEN

T1 - What's in a name? Evaluating statistical attacks on personal knowledge questions

AU - Bonneau, Joseph

AU - Just, Mike

AU - Matthews, Greg

PY - 2010

Y1 - 2010

N2 - We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

AB - We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

UR - http://www.scopus.com/inward/record.url?scp=77955315492&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77955315492&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-14577-3_10

DO - 10.1007/978-3-642-14577-3_10

M3 - Conference contribution

SN - 3642145760

SN - 9783642145766

VL - 6052 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 98

EP - 113

BT - Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers

ER -