这个PIN可以很容易地猜到:分析智能手机解锁PIN的安全性

Philipp Markert, D. Bailey, M. Golla, Markus Dürmuth, Adam J. Aviv
{"title":"这个PIN可以很容易地猜到:分析智能手机解锁PIN的安全性","authors":"Philipp Markert, D. Bailey, M. Golla, Markus Dürmuth, Adam J. Aviv","doi":"10.1109/SP40000.2020.00100","DOIUrl":null,"url":null,"abstract":"In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of \"easy to guess\" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 % of the PIN space may provide the best balance between usability and security.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"14 1","pages":"286-303"},"PeriodicalIF":0.0000,"publicationDate":"2020-03-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"38","resultStr":"{\"title\":\"This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs\",\"authors\":\"Philipp Markert, D. Bailey, M. Golla, Markus Dürmuth, Adam J. Aviv\",\"doi\":\"10.1109/SP40000.2020.00100\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of \\\"easy to guess\\\" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 % of the PIN space may provide the best balance between usability and security.\",\"PeriodicalId\":6849,\"journal\":{\"name\":\"2020 IEEE Symposium on Security and Privacy (SP)\",\"volume\":\"14 1\",\"pages\":\"286-303\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-03-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"38\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 IEEE Symposium on Security and Privacy (SP)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SP40000.2020.00100\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00100","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 38

摘要

在本文中,我们首次对智能手机上收集的用户选择的4位和6位pin (n = 1220)进行了全面研究,参与者被明确地为设备解锁做好了准备。我们发现,针对受限的攻击者(有10、30或100次猜测,与智能手机解锁设置相匹配),使用6位pin而不是4位pin几乎没有增加安全性,令人惊讶的是,甚至可能降低安全性。我们还研究了黑名单的影响,在选择过程中不允许使用一组“容易猜测”的pin。目前iOS使用了两种这样的黑名单,一种是4位数(274个pin),另一种是6位数(2910个pin)。我们提取了这两个黑名单,并将它们与其他四个黑名单进行比较,其中包括一个小的4位数(27个PIN),一个大的4位数(2740个PIN),以及两个4位和6位PIN的安慰剂黑名单,这些黑名单总是排除第一选择的PIN。我们发现,目前iOS所使用的相对较小的黑名单并不能有效对抗受限的猜测攻击。只有当黑名单更大时,才能观察到安全性的提高,而这反过来又以增加用户挫败感为代价。我们的分析表明,黑名单在大约10%的PIN空间可能提供可用性和安全性之间的最佳平衡。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 % of the PIN space may provide the best balance between usability and security.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信