I completed my PhD in May 2012 with the Security Group of the University of Cambridge Computer Laboratory, supervised by Professor Ross Anderson and funded as a Gates Cambridge Scholar.
My PhD thesis is on analysing human-chosen distributions of secrets, specifically passwords and PINs.
My complete publications list is online. I focused on authentication, web security and privacy but have also researched side-channel cryptanalysis, protocol verification, software obfuscation, voting, and privacy in social networks.
My background is primarily in computer science, mathematics, and cryptography, in which I earned my BS and MS from Stanford University. I also worked as a cryptographer at Cryptography Research, Inc.
More (somewhat out of date) information is available on my personal homepage.
Selected publications
The science of guessing: analyzing an anonymized corpus of 70 million passwordsJoseph Bonneau. 2012 IEEE Symposium on Security and Privacy. Abstract Citation We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even pro-active efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.
@inproceedings{B12,
author="Joseph Bonneau",
url="http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf",
booktitle="2012 IEEE Symposium on Security and Privacy",
title={{The science of guessing: analyzing an anonymized corpus of 70 million passwords}},
month="May",
location="San Francisco, CA, USA",
year="2012",
}
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication SchemesJoseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano. 2012 IEEE Symposium on Security and Privacy. Abstract Citation We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.
@inproceedings{BHOS12,
author="Joseph Bonneau and Cormac Herley and Paul C. {van Oorschot} and Frank Stajano",
url="http://www.cl.cam.ac.uk/~jcb82/doc/BHOS12-IEEESP-quest_to_replace_passwords.pdf",
booktitle="2012 IEEE Symposium on Security and Privacy",
title={{The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes}},
month="May",
location="San Francisco, CA, USA",
year="2012",
}
A birthday present every eleven wallets? The security of customer-chosen banking PINsJoseph Bonneau, Sören Preibusch and Ross Anderson. FC '12: The 16th International Conference on Financial Cryptography. Abstract Citation We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
@inproceedings{BPA12,
author="Joseph Bonneau and S{\"{o}}ren Preibusch and Ross Anderson",
url="http://www.cl.cam.ac.uk/~jcb82/doc/BPA12-FC-banking_pin_security.pdf",
booktitle="FC '12: Proceedings of the the 16\textsuperscript{th} International Conference on Financial Cryptography",
title={{A birthday present every eleven wallets? The security of customer-chosen banking PINs}},
month="March",
location="Kralendijk, Bonaire, Netherlands",
year="2012",
}
The password thicket: technical and market failures in human authentication on the webJoseph Bonneau and Sören Preibusch. WEIS '10: The 9th Workshop on the Economics of Information Security. Abstract Citation We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with more-secure protocols or federated identity systems may fail because they don't recreate the entrenched ritual of password authentication.
@inproceedings{BP10,
author="Joseph Bonneau and S{\"{o}}ren Preibusch",
url="http://www.cl.cam.ac.uk/~jcb82/doc/BP10-WEIS-password_thicket.pdf",
booktitle="WEIS '10: Proceedings of the 9\textsuperscript{th} Workshop on the Economics of Information Security",
title={{The password thicket: technical and market failures in human authentication on the web}},
month="June",
location="Boston, MA, USA",
year="2010",
}
Cache Collision Timing Attacks Against AESJoseph Bonneau and Ilya Mironov. CHES '06: Workshop on Cryptographic Hardware and Embedded Systems. Abstract Citation This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 2^13 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.
@inproceedings{BM06,
author="Joseph Bonneau and Ilya Mironov",
url="http://www.cl.cam.ac.uk/~jcb82/doc/BM06-CHES-aes_cache_timing.pdf",
booktitle="CHES '06: Proceedings of 2006 Workshop on Cryptographic Hardware and Embedded Systems",
title={{Cache Collision Timing Attacks Against AES}},
month="October",
location="Boston, MA, USA",
year="2006",
}
