Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)

Maximilian Golla, Markus Dürmuth

International Conference on Passwords 2015 (PASSWORDS '15). Cambridge, United Kingdom, December 7-9, 2015


Abstract

Personal Knowledge Questions are widely used for fallback authentication, i. e., recovering access to an account when the primary authenticator is lost. It is well known that the answers only have low-entropy and are sometimes derivable from public data sources, but ease-of-use and supposedly good memorability seem to outweigh this drawback for some applications.

Recently, a database dump of an online dating website was leaked, including 3.9 million plain text answers to personal knowledge questions, making it the largest publicly available list. We analyzed this list of answers and were able to confirm previous findings that were obtained from non-public lists (WWW 2015), in particular, we found that some users don't answer truthfully, which may actually reduce the answer's entropy.

[PDF] [Slides]

Tags: challenge question, fallback authentication, password recovery, password reset, personal knowledge question