Abstract
A partial password is a query of a subset of characters from a full password, posed as a challenge such as “Give me letters 2, 3 and 6 from your password”. Partial passwords are commonly used in the consumer financial sector, both online and in telephone banking. They provide a cheap way of providing a varying challenge that prevents eavesdroppers or intermediate systems learning a shared secret in a single step. Yet, despite widespread adoption among millions of consumers, this mechanism has had little attention in the academic literature. Answers to obvious questions are not clear, for example, how many observations are needed for an attacker to learn the complete password, or to successfully answer the next challenge? In this paper we survey a number of online banking implementations of partial passwords, and investigate the security of the mechanism. In particular, we look at guessing attacks with a projection dictionary ranked by likelihood, and recording attacks which use previous information collected by an attacker. The combination of these techniques yields the best attack on partial passwords.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
UK Consumers Association: Bank websites: How safe is yours? Which? Magazine, 24–27 (September 2011)
Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 409–421. Springer, Heidelberg (1991)
Li, X.Y., Teng, S.H.: Practical human-machine identification over insecure channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)
Goring, S., Rabaiotti, J., Jones, A.: Anti-keylogging measures for secure internet login: An example of the law of unintended consequences. Computers & Security 26(6), 421–426 (2007)
Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007)
Focardi, R., Luccio, F.: Guessing bank PINs by winning a mastermind game. Theory of Computing Systems 50(1), 52–71 (2012)
Bonneau, J., Just, M., Matthews, G.: What’s in a name? Evaluating statistical attacks on personal knowledge questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)
Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)
Weir, M., et al.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proc. 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 162–175. ACM (2010)
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: IEEE Symposium on Security and Privacy, pp. 523–537. IEEE Computer Society (2012)
Malone, D., Maher, K.: Investigating the distribution of password choices. In: WWW, pp. 301–310. ACM (2012)
Brostoff, S., Sasse, M.A.: “Ten strikes and you’re out”: Increasing the number of login attempts can improve password usability. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems. John Wiley (April 2003)
Just, M., Aspinall, D.: On the security and usability of dual credential authentication in UK online banking. In: 7th International Conference for Internet Technology and Secured Transactions (ICITST 2012). IEEE (December 2012)
Bonneau, J.: The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, pp. 538–552. IEEE CS (2012)
Yan, J.J.: A note on proactive password checking. In: Proc. 2001 New Security Paradigms Workshop, NSPW 2001, pp. 127–135. ACM (2001)
Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proc. of the 12th ACM CCS, pp. 364–372. ACM (2005)
Bowes, R.: SkullSecurity blog, passwords page, http://www.skullsecurity.org/wiki/index.php/Passwords (accessed September 2012)
Mahmood, Z.: Attitudes towards the use of e-banking: Result of a pilot study. Communications of the IBIMA 8, 170–174 (2009)
Thepaypers.com: UK consumers prefer online banking - survey (May 2011)
Voice, C.B., Chiviendacz, M., Pillman, E.: United states patent: 8060915 - Method and apparatus for providing electronic message authentication (November 2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aspinall, D., Just, M. (2013). “Give Me Letters 2, 3 and 6!”: Partial Password Implementations and Attacks. In: Sadeghi, AR. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7859. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39884-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-39884-1_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39883-4
Online ISBN: 978-3-642-39884-1
eBook Packages: Computer ScienceComputer Science (R0)