Entries Tagged "passwords"

Page 15 of 29

"1234" and Birthdays Are the Most Common PINs

Research paper: “A birthday present every eleven wallets? The security of customer-chosen banking PINs,” by Joseph Bonneau, Sören Preibusch, and Ross Anderson:

Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

Blog post.

EDITED TO ADD (2/22): News article

Posted on February 21, 2012 at 7:36 AMView Comments

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she’s forgotten the key.

What happens now? It seems as if this excuse would always be available to someone who doesn’t want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It’s less credible for someone to say “I have no idea what my password is,” and more likely to say something like “it was the word ‘telephone’ with a zero for the o and then some number following—four digits, with a six in it—and then a punctuation mark like a period.” And then a brute-force password search could be targeted. I suppose someone could say “it was a random alphanumeric password created by an automatic program; I really have no idea,” but I’m not sure a judge would believe it.

Posted on February 13, 2012 at 5:20 AMView Comments

Password Sharing Among American Teenagers

Interesting article from the New York Times on password sharing as a show of affection.

“It’s a sign of trust,” Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. “I have nothing to hide from him, and he has nothing to hide from me.”

“That is so cute,” said Cherry Ng, 16, listening in to her friend’s comments to a reporter outside school. “They really trust each other.”

We do, said Ms. Carandang, 17. “I know he’d never do anything to hurt my reputation,” she added.

It doesn’t always end so well, of course. Changing a password is simple, but students, counselors and parents say that damage is often done before a password is changed, or that the sharing of online lives can be the reason a relationship falters.

Ethnologist danah boyd discusses what’s happening:

For Meixing, sharing her password with her boyfriend is a way of being connected. But it’s precisely these kinds of narratives that have prompted all sorts of horror by adults over the last week since that NYTimes article came out. I can’t count the number of people who have gasped “How could they!?!” at me. For this reason, I feel the need to pick up on an issue that the NYTimes let out.

The idea of teens sharing passwords didn’t come out of thin air. In fact, it was normalized by adults. And not just any adult. This practice is the product of parental online safety norms. In most households, it’s quite common for young children to give their parents their passwords. With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over, using explanations like “because I’m your mother.” But many parents use the language of “trust” to explain why teens should share their passwords with them.

Much more in her post.

Related: a profile of danah boyd.

Posted on January 27, 2012 at 6:39 AMView Comments

Improving the Security of Four-Digit PINs on Cell Phones

The author of this article notices that it’s often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.

Then he points out that if your PIN has only three different digits—1231, for example—the PIN can be one of 36 different possibilities.

So it’s more security, although not much more secure.

Posted on January 6, 2012 at 6:30 AMView Comments

Random Passwords in the Wild

Interesting analysis:

the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.

Posted on October 20, 2011 at 6:25 AMView Comments

New Lows in Secret Questions

I’ve already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here’s a new one, courtesy of the National Archives: “What is your preferred internet password?” I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.

Posted on September 8, 2011 at 6:14 AMView Comments

1 13 14 15 16 17 29

Sidebar photo of Bruce Schneier by Joe MacInnis.