What’s in a Name?: Evaluating Statistical Attacks on Personal Knowledge Questions

Joseph Bonneau; Mike Just; Greg Matthews

doi:10.1007/978-3-642-14577-3_10

What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions

Joseph Bonneau, Mike Just, Greg Matthews

School of Informatics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

Original language	English
Title of host publication	Financial Cryptography and Data Security
Subtitle of host publication	14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010, Revised Selected Papers
Editors	Radu Sion
Publisher	Springer
Pages	98-113
Number of pages	16
ISBN (Electronic)	978-3-642-14577-3
ISBN (Print)	978-3-642-14576-6
DOIs	https://doi.org/10.1007/978-3-642-14577-3_10
Publication status	Published - 2010

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Berlin Heidelberg
Volume	6052
ISSN (Print)	0302-9743

Access to Document

10.1007/978-3-642-14577-3_10

http://link.springer.com/chapter/10.1007%2F978-3-642-14577-3_10

KBA: Knowledge-based Authentication; Evaluating and Improving
Aspinall, D. (Principal Investigator) & Just, M. (Researcher)
EPSRC
1/10/08 → 30/04/10
Project: Research

Cite this

Bonneau, J., Just, M., & Matthews, G. (2010). What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. In R. Sion (Ed.), Financial Cryptography and Data Security: 14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010, Revised Selected Papers (pp. 98-113). (Lecture Notes in Computer Science; Vol. 6052). Springer. https://doi.org/10.1007/978-3-642-14577-3_10

Bonneau, Joseph ; Just, Mike ; Matthews, Greg. / What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. Financial Cryptography and Data Security: 14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010, Revised Selected Papers. editor / Radu Sion. Springer, 2010. pp. 98-113 (Lecture Notes in Computer Science).

@inproceedings{372f5ed65c054cc3b8ed144eb94314bf,

title = "What{\textquoteright}s in a Name?: Evaluating Statistical Attacks on Personal Knowledge Questions",

abstract = "We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers{\textquoteright} accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.",

author = "Joseph Bonneau and Mike Just and Greg Matthews",

year = "2010",

doi = "10.1007/978-3-642-14577-3_10",

language = "English",

isbn = "978-3-642-14576-6",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "98--113",

editor = "Radu Sion",

booktitle = "Financial Cryptography and Data Security",

address = "United Kingdom",

}

Bonneau, J, Just, M & Matthews, G 2010, What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. in R Sion (ed.), Financial Cryptography and Data Security: 14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010, Revised Selected Papers. Lecture Notes in Computer Science, vol. 6052, Springer, pp. 98-113. https://doi.org/10.1007/978-3-642-14577-3_10

What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. / Bonneau, Joseph; Just, Mike; Matthews, Greg.
Financial Cryptography and Data Security: 14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010, Revised Selected Papers. ed. / Radu Sion. Springer, 2010. p. 98-113 (Lecture Notes in Computer Science; Vol. 6052).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - What’s in a Name?

T2 - Evaluating Statistical Attacks on Personal Knowledge Questions

AU - Bonneau, Joseph

AU - Just, Mike

AU - Matthews, Greg

PY - 2010

Y1 - 2010

N2 - We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

AB - We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

U2 - 10.1007/978-3-642-14577-3_10

DO - 10.1007/978-3-642-14577-3_10

M3 - Conference contribution

SN - 978-3-642-14576-6

T3 - Lecture Notes in Computer Science

SP - 98

EP - 113

BT - Financial Cryptography and Data Security

A2 - Sion, Radu

PB - Springer

ER -

Bonneau J, Just M, Matthews G. What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. In Sion R, editor, Financial Cryptography and Data Security: 14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010, Revised Selected Papers. Springer. 2010. p. 98-113. (Lecture Notes in Computer Science). doi: 10.1007/978-3-642-14577-3_10

What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions

Abstract

Publication series

Access to Document

Fingerprint

Projects

KBA: Knowledge-based Authentication; Evaluating and Improving

Cite this