RISC Seminars (Research on Information Security and Cryptology)

     Archives: [2024] [2023] [2022] [2021] [2020] [2019] [2018] [2017] [2016] [2015] [2014] [2013] [2012] [2011] [2010] [2009] [2008] [2007] [2006] [2005] [2004] [List of Speakers]
(To receive information about upcoming seminars, register for the RISC mailing list.)
[print]
RISC Seminar
Date:December 7
Location:L017
Schedule: 
16:15-17:00Elie Bursztein (Google):
Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google
Abstract: We examine the first large real-world data set on personal knowledge question’s security and memorability from their deployment at Google. Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate. Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully.
Comparing question strength and memorability reveals that the questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability. We conclude that it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.
Joint work with Joseph Bonneau (Princeton University), Rob Jackson (Google), Mike Williamson (Google)
0.05966s