Question-and-answer passwords: an empirical evaluation
Information Systems
Protecting secret keys with personal entropy
Future Generation Computer Systems - Special issue on security on the Web
Error-tolerant password recovery
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
Human selection of mnemonic phrase-based passwords
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On predictive models and user-drawn graphical passwords
ACM Transactions on Information and System Security (TISSEC)
Access control by testing for shared knowledge
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Improving text passwords through persuasion
Proceedings of the 4th symposium on Usable privacy and security
Personal knowledge questions for fallback authentication: security questions in the era of Facebook
Proceedings of the 4th symposium on Usable privacy and security
Quantifying the security of preference-based authentication
Proceedings of the 4th ACM workshop on Digital identity management
The practical subtleties of biometric key generation
SS'08 Proceedings of the 17th conference on Security symposium
Influencing users towards better passwords: persuasive cued click-points
BCS-HCI '08 Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 1
Personal choice and challenge questions: a security and usability assessment
Proceedings of the 5th Symposium on Usable Privacy and Security
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Messin' with texas deriving mother's maiden names using public records
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
How much assurance does a PIN provide?
HIP'05 Proceedings of the Second international conference on Human Interactive Proofs
Pictures or questions?: examining user responses to association-based authentication
BCS '10 Proceedings of the 24th BCS Interaction Specialist Group Conference
Video-passwords: advertising while authenticating
Proceedings of the 2012 workshop on New security paradigms
Linguistic properties of multi-word passphrases
FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security
FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security
Usability and security evaluation of GeoPass: a geographic location-password scheme
Proceedings of the Ninth Symposium on Usable Privacy and Security
CloudSweeper: enabling data-centric document management for secure cloud archives
Proceedings of the 2013 ACM workshop on Cloud computing security workshop
Pitfalls in the automated strengthening of passwords
Proceedings of the 29th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.