Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9551)


Personal Knowledge Questions are widely used for fallback authentication, i.e., recovering access to an account when the primary authenticator is lost. It is well known that the answers only have low-entropy and are sometimes derivable from public data sources, but ease-of-use and supposedly good memorability seem to outweigh this drawback for some applications.

Recently, a database dump of an online dating website was leaked, including 3.9 million plain text answers to personal knowledge questions, making it the largest publicly available list. We analyzed this list of answers and were able to confirm previous findings that were obtained on non-public lists (WWW 2015), in particular we found that some users don’t answer truthfully, which may actually reduce the answer’s entropy.


Fallback authentication Personal knowledge question Password recovery Password reset Challenge question 


  1. 1.
    Newitz, A.: Ashley Madison code shows more women, and more bots, August 2015. 6 January 2016
  2. 2.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy. IEEE (2012)Google Scholar
  3. 3.
    Bonneau, J., Bursztein, E., Caron, I., Jackson, R., Williamson, M.: Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at Google. In: International World Wide Web Conference IW3C2 (2015)Google Scholar
  4. 4.
    Bonneau, J., Just, M., Matthews, G.: What’s in a name? Evaluating statistical attacks on personal knowledge questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth factor authentication: somebody you know. In: ACM Conference on Computer and Communications Security, pp. 168–178. ACM Press (2006)Google Scholar
  6. 6.
    Garfinkel, S.L.: Email-based identification and authentication: an alternative to PKI? IEEE Secur. Priv. 1(6), 20–26 (2003)CrossRefGoogle Scholar
  7. 7.
    Griffith, V., Jakobsson, M.: Messin’ with Texas - Deriving mother’s maiden names using public records. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 91–103. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Jakobsson, M., Stolterman, E., Wetzel, S., Yang, L.: Love and authentication. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 197–200. ACM Press (2008)Google Scholar
  9. 9.
    Just, M.: Designing and evaluating challenge-question systems. IEEE Secur. Priv. 2(5), 32–39 (2004)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Kim, H., Tang, J., Anderson, R.: Social authentication: harder than it looks. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 1–15. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Zetter, K.: Hackers finally post stolen Ashley Madison data, August 2015. 6 January 2016
  12. 12.
    Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. Wiley, New York (2002)Google Scholar
  13. 13.
    Rabkin, A.: Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In: USENIX Symposium on Usable Privacy and Security, pp. 13–23. USENIX Association (2008)Google Scholar
  14. 14.
    Rosenblum, D.: What anyone can know: the privacy risks of social networking sites. IEEE Secur. Priv. 5(3), 40–49 (2007)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret: measuring the security and reliability of authentication via “Secret” questions. In: IEEE Symposium on Security and Privacy, pp. 375–390. IEEE Computer Society (2009)Google Scholar
  16. 16.
    Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM Press (2009)Google Scholar
  17. 17.
    Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumBochumGermany

Personalised recommendations