Abstract
Personal Knowledge Questions are widely used for fallback authentication, i.e., recovering access to an account when the primary authenticator is lost. It is well known that the answers only have low-entropy and are sometimes derivable from public data sources, but ease-of-use and supposedly good memorability seem to outweigh this drawback for some applications.
Recently, a database dump of an online dating website was leaked, including 3.9 million plain text answers to personal knowledge questions, making it the largest publicly available list. We analyzed this list of answers and were able to confirm previous findings that were obtained on non-public lists (WWW 2015), in particular we found that some users don’t answer truthfully, which may actually reduce the answer’s entropy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Newitz, A.: Ashley Madison code shows more women, and more bots, August 2015. http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/. 6 January 2016
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy. IEEE (2012)
Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at Google. In: International World Wide Web Conference IW3C2 (2015)
Bonneau, J., Just, M., Matthews, G.: What’s in a name? Evaluating statistical attacks on personal knowledge questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)
Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth factor authentication: somebody you know. In: ACM Conference on Computer and Communications Security, pp. 168–178. ACM Press (2006)
Garfinkel, S.L.: Email-based identification and authentication: an alternative to PKI? IEEE Secur. Priv. 1(6), 20–26 (2003)
Griffith, V., Jakobsson, M.: Messin’ with Texas - Deriving mother’s maiden names using public records. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 91–103. Springer, Heidelberg (2005)
Jakobsson, M., Stolterman, E., Wetzel, S., Yang, L.: Love and authentication. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 197–200. ACM Press (2008)
Just, M.: Designing and evaluating challenge-question systems. IEEE Secur. Priv. 2(5), 32–39 (2004)
Kim, H., Tang, J., Anderson, R.: Social authentication: harder than it looks. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 1–15. Springer, Heidelberg (2012)
Zetter, K.: Hackers finally post stolen Ashley Madison data, August 2015. http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924. 6 January 2016
Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. Wiley, New York (2002)
Rabkin, A.: Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In: USENIX Symposium on Usable Privacy and Security, pp. 13–23. USENIX Association (2008)
Rosenblum, D.: What anyone can know: the privacy risks of social networking sites. IEEE Secur. Priv. 5(3), 40–49 (2007)
Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret: measuring the security and reliability of authentication via “Secret” questions. In: IEEE Symposium on Security and Privacy, pp. 375–390. IEEE Computer Society (2009)
Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM Press (2009)
Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Golla, M., Dürmuth, M. (2016). Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper). In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-29938-9_3
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29937-2
Online ISBN: 978-3-319-29938-9
eBook Packages: Computer ScienceComputer Science (R0)