What's in a name? Evaluating statistical attacks on personal knowledge questions
01 Jan 2010-pp 98-113
TL;DR: A diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places is examined and it is found that personal knowledge questions are significantly less secure than graphical or textual passwords.
Abstract: We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.
Citations
More filters
20 May 2012
TL;DR: It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints.
Abstract: We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.
914 citations
Cites background from "What's in a name? Evaluating statis..."
...or Resilient-to-Internal-Observation due to their static nature, and not Resilient-to-Leaks-from-Other-Verifiers as answers are typically stored un-hashed to enable more liberal string matching (and nearly all sites register the same types of questions [97])....
[...]
...The distribution of feasible answers, such as surnames in the population, is also typically skewed enough to limit the security of most questions to 10 bits [97]....
[...]
19 Aug 2012
TL;DR: A working implementation of leveled homomorphic encryption without bootstrapping that can evaluate the AES-128 circuit in three different ways, and develops both AES-specific optimizations as well as several "generic" tools for FHE evaluation.
Abstract: We describe a working implementation of leveled homomorphic encryption without bootstrapping that can evaluate the AES-128 circuit in three different ways. One variant takes under over 36 hours to evaluate an entire AES encryption operation, using NTL over GMP as our underlying software platform, and running on a large-memory machine. Using SIMD techniques, we can process over 54 blocks in each evaluation, yielding an amortized rate of just under 40 minutes per block. Another implementation takes just over two and a half days to evaluate the AES operation, but can process 720 blocks in each evaluation, yielding an amortized rate of just over five minutes per block. We also detail a third implementation, which theoretically could yield even better amortized complexity, but in practice turns out to be less competitive.
For our implementations we develop both AES-specific optimizations as well as several "generic" tools for FHE evaluation. These last tools include among others a different variant of the Brakerski-Vaikuntanathan key-switching technique that does not require reducing the norm of the ciphertext vector, and a method of implementing the Brakerski-Gentry-Vaikuntanathan modulus-switching transformation on ciphertexts in CRT representation.
814 citations
20 May 2012
TL;DR: It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Abstract: We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.
711 citations
Cites background from "What's in a name? Evaluating statis..."
...also include guessing curves for two distributions from non-password-based authentication schemes: a distribution of four-digit unlock codes used for an iPhone application leaked in 2011 [33] and the distribution of surnames (the most common category of answer to personal knowledge questions) from a large-scale crawl of Facebook [34]....
[...]
...Theorems proved by Pliam [28], Boztaş [29], and Bonneau [34] demonstrate an unbounded gap: for any desired success rate α < 1, it is possible to construct a distribution X such that μ̃α(X ) +...
[...]
26 Jan 2015
TL;DR: The GHOST rule is addressed, a modification to the way Bitcoin nodes construct and re-organize the block chain, Bitcoin’s core distributed data-structure, to address security concerns over high transaction throughput.
Abstract: Bitcoin is a disruptive new crypto-currency based on a decentralized open-source protocol which has been gradually gaining momentum. Perhaps the most important question that will affect Bitcoin’s success, is whether or not it will be able to scale to support the high volume of transactions required from a global currency system. We investigate the implications of having a higher transaction throughput on Bitcoin’s security against double-spend attacks. We show that at high throughput, substantially weaker attackers are able to reverse payments they have made, even well after they were considered accepted by recipients. We address this security concern through the GHOST rule, a modification to the way Bitcoin nodes construct and re-organize the block chain, Bitcoin’s core distributed data-structure. GHOST has been adopted and a variant of it has been implemented as part of the Ethereum project, a second generation distributed applications platform.
685 citations
TL;DR: It is found that the Bitcoin forms a unique asset possessing properties of both a standard financial asset and a speculative one.
Abstract: The Bitcoin has emerged as a fascinating phenomenon in the Financial markets. Without any central authority issuing the currency, the Bitcoin has been associated with controversy ever since its popularity, accompanied by increased public interest, reached high levels. Here, we contribute to the discussion by examining the potential drivers of Bitcoin prices, ranging from fundamental sources to speculative and technical ones, and we further study the potential influence of the Chinese market. The evolution of relationships is examined in both time and frequency domains utilizing the continuous wavelets framework, so that we not only comment on the development of the interconnections in time but also distinguish between short-term and long-term connections. We find that the Bitcoin forms a unique asset possessing properties of both a standard financial asset and a speculative one.
611 citations
References
More filters
TL;DR: A general epidemic threshold condition is proposed for the NLDS system: it is proved that the epidemic threshold for a network is exactly the inverse of the largest eigenvalue of its adjacency matrix, and it is shown that below the epidemic thresholds, infections die out at an exponential rate.
Abstract: How will a virus propagate in a real networkq How long does it take to disinfect a network given particular values of infection rate and virus death rateq What is the single best node to immunizeq Answering these questions is essential for devising network-wide strategies to counter viruses. In addition, viral propagation is very similar in principle to the spread of rumors, information, and “fads,” implying that the solutions for viral propagation would also offer insights into these other problem settings. We answer these questions by developing a nonlinear dynamical system (NLDS) that accurately models viral propagation in any arbitrary network, including real and synthesized network graphs. We propose a general epidemic threshold condition for the NLDS system: we prove that the epidemic threshold for a network is exactly the inverse of the largest eigenvalue of its adjacency matrix. Finally, we show that below the epidemic threshold, infections die out at an exponential rate. Our epidemic threshold model subsumes many known thresholds for special-case graphs (e.g., Erdos--Renyi, BA powerlaw, homogeneous). We demonstrate the predictive power of our model with extensive experiments on real and synthesized graphs, and show that our threshold condition holds for arbitrary graphs. Finally, we show how to utilize our threshold condition for practical uses: It can dictate which nodes to immunize; it can assess the effects of a throttling policy; it can help us design network topologies so that they are more resistant to viruses.
787 citations
01 Sep 2004
TL;DR: To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice.
Abstract: Users rarely choose passwords that are both hard to guess and easy to remember. To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenge the established wisdom.
678 citations
"What's in a name? Evaluating statis..." refers background in this paper
...Passwords and PINs are the most well-known, but there exist a variety of graphical and textual schemes to aid in recalling secret data [31,29,22,6]....
[...]
...Among other problems, passwords are forgotten frequently enough [31] that many deployed systems also use personal knowledge for backup authentication....
[...]
[...]
TL;DR: It is shown that the average number of successive guesses, E,[G], required with an optimum strategy until one correctly guesses the value of a discrete random X, is underbounded by the entropy H(X) in the manner E[G]/spl ges/( 1/4 )2/sup H(x/)+1 provided that H( X)/spl ge/2 bits.
Abstract: It is shown that the average number of successive guesses, E[G], required with an optimum strategy until one correctly guesses the value of a discrete random X, is underbounded by the entropy H(X) in the manner E[G]/spl ges/( 1/4 )2/sup H(X/)+1 provided that H(X)/spl ges/2 bits. This bound is tight within a factor of (4/e) when X is geometrically distributed. It is further shown that E[G] may be arbitrarily large when H(X) is an arbitrarily small positive number so that there is no interesting upper bound on E[G] in terms of H(X). >
565 citations
"What's in a name? Evaluating statis..." refers background or methods in this paper
...considered abstractly [4,23,3,20] and in the case of PINs [2], graphical passwords [6,29,22], and biometrics [1]; we synthesise previous analysis and define new metrics most applicable to trawling attackers....
[...]
...This gives H1(X ) > m + 3 and G̃(X ) > m + 1, following from Massey’s proof that G̃ is bounded from below by (H1 − 2) [20]....
[...]
...This measure was introduced by Massey [20] and later named by Cachin [4]....
[...]
...As has been argued previously [4,23,3,20,2,6,1], H1 is a poor estimator of guessing difficulty for security purposes, as it quantifies the average number of subset membership queries of the form “Is X ∈ S?” for arbitrary subsets S ⊆ X ....
[...]
Proceedings Article•
13 Aug 2004TL;DR: It is shown that permitting user selection of passwords in two graphical password schemes can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user.
Abstract: Graphical password schemes have been proposed as an alternative to text passwords in applications that support graphics and mouse or stylus entry. In this paper we detail what is, to our knowledge, the largest published empirical evaluation of the effects of user choice on the security of graphical password schemes. We show that permitting user selection of passwords in two graphical password schemes, one based directly on an existing commercial product, can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user. For one scheme, this effect is so dramatic so as to render the scheme insecure. A conclusion of our work is that graphical password schemes of the type we study may generally require a different posture toward password selection than text passwords, where selection by the user remains the norm today.
509 citations
"What's in a name? Evaluating statis..." refers background or methods in this paper
...In Figure 1 we plot the Facebook name distributions against textual passwords [16,28,27], mnemonic passwords [17], the Pass-Go user-drawn password system [22], the Passfaces graphical PIN system [29], the PassPoints visually-cued clicked password system [6] and a handwriting-recognition biometric system [1]....
[...]
...As has been argued previously [4,23,3,20,2,6,1], H1 is a poor estimator of guessing difficulty for security purposes, as it quantifies the average number of subset membership queries of the form “Is X ∈ S?” for arbitrary subsets S ⊆ X ....
[...]
...1: Comparison of weak subspaces in name distributions (Facebook dataset) to those found in other authentication systems [16,28,27,29,22,6,1]....
[...]
...considered abstractly [4,23,3,20] and in the case of PINs [2], graphical passwords [6,29,22], and biometrics [1]; we synthesise previous analysis and define new metrics most applicable to trawling attackers....
[...]
...Passwords and PINs are the most well-known, but there exist a variety of graphical and textual schemes to aid in recalling secret data [31,29,22,6]....
[...]
Journal Article•
TL;DR: Some of the problems of current password security are outlined by demonstrating the ease by which individual accounts may be broken, and one solution to this point of system vulnerability, a proactive password checker is proposed.
Abstract: With the rapid burgeoning of national and international networks, the question of system security has become one of growing importance. High speed inter-machine communication and even higher speed computational processors have made the threats of system {open_quotes}crackers,{close_quotes} data theft, and data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual accounts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a proactive password checker, is proposed. 11 refs., 2 tabs.
453 citations