What's in a Name?

We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

[1]  W. R. Fox,et al.  The Distribution of Surname Frequencies , 1983 .

[2]  William J. Haga,et al.  Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[3]  Eugene H. Spafford,et al.  Observations on reusable password choices , 1992 .

[4]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[5]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[6]  S. Dragomir,et al.  Some estimates of the average number of guesses to determine a random variable , 1997, Proceedings of IEEE International Symposium on Information Theory.

[7]  Christian Cachin,et al.  Entropy measures and unconditional security in cryptography , 1997 .

[8]  Julie Bunnell,et al.  Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates , 2000, Comput. Secur..

[9]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[10]  John O. Pliam On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks , 2000, INDOCRYPT.

[11]  Ari Juels,et al.  Error-tolerant password recovery , 2001, CCS '01.

[12]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[13]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[14]  David Malone,et al.  Guesswork and entropy , 2004, IEEE Transactions on Information Theory.

[15]  Lawrence O'Gorman,et al.  Call Center Customer Verification by Query-Directed Passwords , 2004, Financial Cryptography.

[16]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.

[17]  Colin L. Mallows,et al.  How Much Assurance Does a PIN Provide? , 2005, HIP.

[18]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[19]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[20]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[21]  Markus Jakobsson,et al.  Quantifying the security of preference-based authentication , 2008, DIM '08.

[22]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[23]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[24]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008 .

[25]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[26]  Michael K. Reiter,et al.  The Practical Subtleties of Biometric Key Generation , 2008, USENIX Security Symposium.

[27]  Christos Faloutsos,et al.  Epidemic thresholds in real networks , 2008, TSEC.

[28]  James A. Landay,et al.  Access control by testing for shared knowledge , 2008, CHI.

[29]  Bhavani M. Thuraisingham,et al.  Inferring private information using social network data , 2009, WWW '09.

[30]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[31]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.