The Science of Guessing

April 23, 2012
Joseph Bonneau | University of Cambridge

Despite decades of efforts to improve authentication, the world still relies heavily on secrets chosen (and memorized) by humans: passwords, PINs, personal knowledge questions and the occasional graphical password scheme. While everybody think these are possible for attackers to guess, our understanding of just how difficult is vague. Are passwords or PINs harder and by how much? How can we accurately the difficulty of guessing passwords chosen by older users to those chosen by younger users, or those chosen by English speakers to those chosen by Spanish speakers? This talk will address these questions, presenting the speaker’s dissertation research and upcoming IEEE Security & Privacy Symposium publication. To do so, the talk will introduce the right statistical metrics for measuring guessing resistance, discuss how to collect large password datasets in a privacy-friendly and secure manner, and discuss some findings from analyzing 70 M passwords from Yahoo! users, perhaps the largest corpus ever studied.

Speaker Details

Joseph Bonneau is completing his PhD at the University of Cambridge under the supervision of Ross Anderson. His dissertation focuses on online authentication, both developing a theoretical understanding of guessing attacks and studying the economic factors affecting real-world deployment. He has also researched privacy in social networks, censorship resistance, online protests, and side-channel cryptanalysis. Prior to studying at Cambridge, he worked as a cryptographer at Cryptography Research, Inc., consulting on cryptographic design and researching power analysis attacks and obfuscated cryptography. He received a BS in Computer Science and Mathematics and an MS in Cryptography from Stanford University, where he was supervised by Dan Boneh. He has also interned at Microsoft, Yahoo!, Integration Appliance, and the Federal Bureau of Investigation. In his spare time he has competed in football, rugby, soccer, and water polo and has been said to host the most challenging pub quizzes in Cambridge.