What's in a name? Evaluating statistical attacks on personal knowledge questions
Citations
914 citations
Cites background from "What's in a name? Evaluating statis..."
...or Resilient-to-Internal-Observation due to their static nature, and not Resilient-to-Leaks-from-Other-Verifiers as answers are typically stored un-hashed to enable more liberal string matching (and nearly all sites register the same types of questions [97])....
[...]
...The distribution of feasible answers, such as surnames in the population, is also typically skewed enough to limit the security of most questions to 10 bits [97]....
[...]
814 citations
711 citations
Cites background from "What's in a name? Evaluating statis..."
...also include guessing curves for two distributions from non-password-based authentication schemes: a distribution of four-digit unlock codes used for an iPhone application leaked in 2011 [33] and the distribution of surnames (the most common category of answer to personal knowledge questions) from a large-scale crawl of Facebook [34]....
[...]
...Theorems proved by Pliam [28], Boztaş [29], and Bonneau [34] demonstrate an unbounded gap: for any desired success rate α < 1, it is possible to construct a distribution X such that μ̃α(X ) +...
[...]
685 citations
611 citations
References
787 citations
678 citations
"What's in a name? Evaluating statis..." refers background in this paper
...Passwords and PINs are the most well-known, but there exist a variety of graphical and textual schemes to aid in recalling secret data [31,29,22,6]....
[...]
...Among other problems, passwords are forgotten frequently enough [31] that many deployed systems also use personal knowledge for backup authentication....
[...]
[...]
565 citations
"What's in a name? Evaluating statis..." refers background or methods in this paper
...considered abstractly [4,23,3,20] and in the case of PINs [2], graphical passwords [6,29,22], and biometrics [1]; we synthesise previous analysis and define new metrics most applicable to trawling attackers....
[...]
...This gives H1(X ) > m + 3 and G̃(X ) > m + 1, following from Massey’s proof that G̃ is bounded from below by (H1 − 2) [20]....
[...]
...This measure was introduced by Massey [20] and later named by Cachin [4]....
[...]
...As has been argued previously [4,23,3,20,2,6,1], H1 is a poor estimator of guessing difficulty for security purposes, as it quantifies the average number of subset membership queries of the form “Is X ∈ S?” for arbitrary subsets S ⊆ X ....
[...]
509 citations
"What's in a name? Evaluating statis..." refers background or methods in this paper
...In Figure 1 we plot the Facebook name distributions against textual passwords [16,28,27], mnemonic passwords [17], the Pass-Go user-drawn password system [22], the Passfaces graphical PIN system [29], the PassPoints visually-cued clicked password system [6] and a handwriting-recognition biometric system [1]....
[...]
...As has been argued previously [4,23,3,20,2,6,1], H1 is a poor estimator of guessing difficulty for security purposes, as it quantifies the average number of subset membership queries of the form “Is X ∈ S?” for arbitrary subsets S ⊆ X ....
[...]
...1: Comparison of weak subspaces in name distributions (Facebook dataset) to those found in other authentication systems [16,28,27,29,22,6,1]....
[...]
...considered abstractly [4,23,3,20] and in the case of PINs [2], graphical passwords [6,29,22], and biometrics [1]; we synthesise previous analysis and define new metrics most applicable to trawling attackers....
[...]
...Passwords and PINs are the most well-known, but there exist a variety of graphical and textual schemes to aid in recalling secret data [31,29,22,6]....
[...]
453 citations