“Give Me Letters 2, 3 and 6!”: Partial Password Implementations and Attacks

  • David Aspinall
  • Mike Just
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7859)


A partial password is a query of a subset of characters from a full password, posed as a challenge such as “Give me letters 2, 3 and 6 from your password”. Partial passwords are commonly used in the consumer financial sector, both online and in telephone banking. They provide a cheap way of providing a varying challenge that prevents eavesdroppers or intermediate systems learning a shared secret in a single step. Yet, despite widespread adoption among millions of consumers, this mechanism has had little attention in the academic literature. Answers to obvious questions are not clear, for example, how many observations are needed for an attacker to learn the complete password, or to successfully answer the next challenge? In this paper we survey a number of online banking implementations of partial passwords, and investigate the security of the mechanism. In particular, we look at guessing attacks with a projection dictionary ranked by likelihood, and recording attacks which use previous information collected by an attacker. The combination of these techniques yields the best attack on partial passwords.


passwords PINs dictionary attack recording attack bank security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    UK Consumers Association: Bank websites: How safe is yours? Which? Magazine, 24–27 (September 2011)Google Scholar
  2. 2.
    Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 409–421. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  3. 3.
    Li, X.Y., Teng, S.H.: Practical human-machine identification over insecure channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Goring, S., Rabaiotti, J., Jones, A.: Anti-keylogging measures for secure internet login: An example of the law of unintended consequences. Computers & Security 26(6), 421–426 (2007)CrossRefGoogle Scholar
  6. 6.
    Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Focardi, R., Luccio, F.: Guessing bank PINs by winning a mastermind game. Theory of Computing Systems 50(1), 52–71 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  8. 8.
    Bonneau, J., Just, M., Matthews, G.: What’s in a name? Evaluating statistical attacks on personal knowledge questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Weir, M., et al.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proc. 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 162–175. ACM (2010)Google Scholar
  11. 11.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: IEEE Symposium on Security and Privacy, pp. 523–537. IEEE Computer Society (2012)Google Scholar
  12. 12.
    Malone, D., Maher, K.: Investigating the distribution of password choices. In: WWW, pp. 301–310. ACM (2012)Google Scholar
  13. 13.
    Brostoff, S., Sasse, M.A.: “Ten strikes and you’re out”: Increasing the number of login attempts can improve password usability. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems. John Wiley (April 2003)Google Scholar
  14. 14.
    Just, M., Aspinall, D.: On the security and usability of dual credential authentication in UK online banking. In: 7th International Conference for Internet Technology and Secured Transactions (ICITST 2012). IEEE (December 2012)Google Scholar
  15. 15.
    Bonneau, J.: The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, pp. 538–552. IEEE CS (2012)Google Scholar
  16. 16.
    Yan, J.J.: A note on proactive password checking. In: Proc. 2001 New Security Paradigms Workshop, NSPW 2001, pp. 127–135. ACM (2001)Google Scholar
  17. 17.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proc. of the 12th ACM CCS, pp. 364–372. ACM (2005)Google Scholar
  18. 18.
    Bowes, R.: SkullSecurity blog, passwords page, (accessed September 2012)
  19. 19.
    Mahmood, Z.: Attitudes towards the use of e-banking: Result of a pilot study. Communications of the IBIMA 8, 170–174 (2009)Google Scholar
  20. 20. UK consumers prefer online banking - survey (May 2011)Google Scholar
  21. 21.
    Voice, C.B., Chiviendacz, M., Pillman, E.: United states patent: 8060915 - Method and apparatus for providing electronic message authentication (November 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • David Aspinall
    • 1
  • Mike Just
    • 2
  1. 1.University of EdinburghUK
  2. 2.Glasgow Caledonian UniversityUK

Personalised recommendations