Question-and-answer passwords: an empirical evaluation
Information Systems
Pass-sentence—a new approach to computer code
Computers and Security
Protecting secret keys with personal entropy
Future Generation Computer Systems - Special issue on security on the Web
Error-tolerant password recovery
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
On the Design of Challenge Question Systems
IEEE Security and Privacy
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Access control by testing for shared knowledge
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Personal knowledge questions for fallback authentication: security questions in the era of Facebook
Proceedings of the 4th symposium on Usable privacy and security
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Pictures or questions?: examining user responses to association-based authentication
BCS '10 Proceedings of the 24th BCS Interaction Specialist Group Conference
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
International Journal of Human-Computer Studies
Do you see your password?: applying recognition to textual passwords
Proceedings of the Eighth Symposium on Usable Privacy and Security
Statistical metrics for individual password strength
SP'12 Proceedings of the 20th international conference on Security Protocols
Exploring capturable everyday memory for autobiographical authentication
Proceedings of the 2013 ACM international joint conference on Pervasive and ubiquitous computing
On the ecological validity of a password study
Proceedings of the Ninth Symposium on Usable Privacy and Security
CloudSweeper: enabling data-centric document management for secure cloud archives
Proceedings of the 2013 ACM workshop on Cloud computing security workshop
| Hi-index | 0.00 |
Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users. In a second stage of our experiment, we applied existing metrics to measure the usability of the questions and answers. Despite having youthful memories and choosing their own questions, users made errors more frequently than desirable.