TY - GEN
T1 - What's in a name? Evaluating statistical attacks on personal knowledge questions
AU - Bonneau, Joseph
AU - Just, Mike
AU - Matthews, Greg
PY - 2010
Y1 - 2010
N2 - We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.
AB - We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers' accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.
UR - http://www.scopus.com/inward/record.url?scp=77955315492&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77955315492&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-14577-3_10
DO - 10.1007/978-3-642-14577-3_10
M3 - Conference contribution
AN - SCOPUS:77955315492
SN - 3642145760
SN - 9783642145766
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 98
EP - 113
BT - Financial Cryptography and Data Security - 14th International Conference, FC 2010, Revised Selected Papers
T2 - 14th International Conference on Financial Cryptography and Data Security, FC 2010
Y2 - 25 January 2010 through 28 January 2010
ER -