What's in a name? Evaluating statistical attacks on personal knowledge questions

Joseph Bonneau, Mike Just, Greg Matthews

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers
Pages98-113
Number of pages16
DOIs
StatePublished - 2010
Event14th International Conference on Financial Cryptography and Data Security, FC 2010 - Tenerife, Canary Islands, Spain
Duration: Jan 25 2010Jan 28 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6052 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other14th International Conference on Financial Cryptography and Data Security, FC 2010
Country/TerritorySpain
CityTenerife, Canary Islands
Period1/25/101/28/10

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'What's in a name? Evaluating statistical attacks on personal knowledge questions'. Together they form a unique fingerprint.

Cite this