Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)
Personal Knowledge Questions are widely used for fallback authentication, i.e., recovering access to an account when the primary authenticator is lost. It is well known that the answers only have low-entropy and are sometimes derivable from public data sources, but ease-of-use and supposedly good memorability seem to outweigh this drawback for some applications.
Recently, a database dump of an online dating website was leaked, including 3.9 million plain text answers to personal knowledge questions, making it the largest publicly available list. We analyzed this list of answers and were able to confirm previous findings that were obtained on non-public lists (WWW 2015), in particular we found that some users don’t answer truthfully, which may actually reduce the answer’s entropy.
KeywordsFallback authentication Personal knowledge question Password recovery Password reset Challenge question
- 1.Newitz, A.: Ashley Madison code shows more women, and more bots, August 2015. http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/. 6 January 2016
- 2.Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy. IEEE (2012)Google Scholar
- 3.Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at Google. In: International World Wide Web Conference IW3C2 (2015)Google Scholar
- 5.Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth factor authentication: somebody you know. In: ACM Conference on Computer and Communications Security, pp. 168–178. ACM Press (2006)Google Scholar
- 8.Jakobsson, M., Stolterman, E., Wetzel, S., Yang, L.: Love and authentication. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 197–200. ACM Press (2008)Google Scholar
- 11.Zetter, K.: Hackers finally post stolen Ashley Madison data, August 2015. http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924. 6 January 2016
- 12.Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. Wiley, New York (2002)Google Scholar
- 13.Rabkin, A.: Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In: USENIX Symposium on Usable Privacy and Security, pp. 13–23. USENIX Association (2008)Google Scholar
- 15.Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret: measuring the security and reliability of authentication via “Secret” questions. In: IEEE Symposium on Security and Privacy, pp. 375–390. IEEE Computer Society (2009)Google Scholar
- 16.Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM Press (2009)Google Scholar