What's in a name? Evaluating statistical attacks on personal knowledge questions

Joseph Bonneau, Mike Just, Greg Matthews

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

    Original languageEnglish
    Title of host publicationFinancial Cryptography and Data Security
    Subtitle of host publication14th International Conference, FC 2010
    PublisherSpringer
    Pages98-113
    Number of pages16
    ISBN (Print)9783642145766
    DOIs
    Publication statusPublished - 2010

    Publication series

    NameLecture Notes in Computer Science
    Volume6052
    ISSN (Print)0302-9743

    Keywords

    • authentication
    • security
    • challenge questions

    Fingerprint Dive into the research topics of 'What's in a name? Evaluating statistical attacks on personal knowledge questions'. Together they form a unique fingerprint.

  • Cite this

    Bonneau, J., Just, M., & Matthews, G. (2010). What's in a name? Evaluating statistical attacks on personal knowledge questions. In Financial Cryptography and Data Security : 14th International Conference, FC 2010 (pp. 98-113). (Lecture Notes in Computer Science; Vol. 6052). Springer. https://doi.org/10.1007/978-3-642-14577-3_10