What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions
Author(s): Joseph Bonneau, Mike Just, Greg Matthews

Date: 2010
Publication: Proceedings of the Fourteenth International Conference on Financial Cryptography and Data Security 2010
Page(s): 98 - 113
Source 1: http://www.cl.cam.ac.uk/~jcb82/doc/BJM10-FC-name_guessing_statistics.pdf
Source 2: http://homepages.inf.ed.ac.uk/mjust/statisticalAttackData/FCSubmission.pdf
Source 3:

Abstract or Summary:
We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com