Financial Cryptography and Data Security

We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon’s registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer threeor fourword phrases for which we see rapidly diminishing returns.

[1]  L. Cranor,et al.  Curbing Android Permission Creep , 2011 .

[2]  Lorrie Faith Cranor,et al.  Who's viewed you?: the impact of feedback in a mobile location-sharing application , 2009, CHI.

[3]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[4]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[5]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[6]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7]  Insup Lee,et al.  Autonomous link spam detection in purely collaborative environments , 2011, Int. Sym. Wikis.

[8]  Lorrie Faith Cranor,et al.  Locaccino: a privacy-centric location sharing application , 2010, UbiComp '10 Adjunct.

[9]  Blase Ur,et al.  Evaluating Attack Amplification in Online Social Networks , 2009 .

[10]  Steven Myers,et al.  The Nuts and Bolts of a Forum Spam Automator , 2011, LEET.

[11]  Diana K. Smetters,et al.  How users use access control , 2009, SOUPS.

[12]  Zhen Huang,et al.  Short paper: a look at smartphone permission models , 2011, SPSM '11.

[13]  Insup Lee,et al.  Link spamming Wikipedia for profit , 2011, CEAS '11.

[14]  J. Walther Research ethics in Internet-enabled research: Human subjects issues and methodological myopia , 2002, Ethics and Information Technology.

[15]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.