A Scrutiny of Honeyword Generation Methods: Remarks on Strengths and Weaknesses Points
TL;DR: This research has proved that every honeyword generation method has many weaknesses points.
Abstract: Abstract Honeyword system is a successful password cracking detection system. Simply the honeywords are (False passwords) that are accompanied to the sugarword (Real password). Honeyword system aims to improve the security of hashed passwords by facilitating the detection of password cracking. The password database will have many honeywords for every user in the system. If the adversary uses a honeyword for login, a silent alert will indicate that the password database might be compromised. All previous studies present a few remarks on honeyword generation methods for max two preceding methods only. So, the need for one that lists all preceding researches with their weaknesses is shown. This work presents all generation methods then lists the strengths and weaknesses of 26 ones. In addition, it puts 32 remarks that highlight their strengths and weaknesses points. This research has proved that every honeyword generation method has many weaknesses points.
Citations
More filters
30 Dec 2022
TL;DR: In this article , the authors proposed a tokenization-based authentication scheme, which can serve the purpose of honeywords but in a more cost-effective way than traditional password-based schemes.
Abstract: In the era of computer systems, user authentication, both online and offline, is an unavoidable step for securing users’ privacy. Password-based authentication is popularly adopted for its simplicity in this context. In password-based authentication, a set of credentials (mostly username and password) is required to identify the unique user. But this method of authentication is vulnerable to inversion attack paradigm. In inversion attack, the adversary obtains the plaintext password by cracking the hashed value of the password. Honeyword-based authentication has been introduced to combat such attacks. In this strategy, certain dummy passwords or honeywords are saved along with the user’s original password. When an adversary tries to enter one of the honeywords to log into the system, an alarm message is sent to the authority via an auxiliary server called honeychecker. Although this technique is useful to address this type of security threat, the requirement of additional space to store the honeywords is still an overhead. Driven by these drawbacks, this work is aimed to propose a strategy which can serve the purpose of honeywords but in a more cost-effective way. In this technique, the concept of tokenization is utilized. Theoretical and experimental analyses have been done to assess the viability of the proposed scheme. A comparative study between the proposed scheme and honeyword-based authentication has been carried out based on required storage cost and resiliency against MSV attack. From our rigorous analysis, it is found that our scheme shows promising results in terms of other usability and security features as well.
30 Dec 2022
TL;DR: In this article , the authors proposed a tokenization-based authentication scheme, which can serve the purpose of honeywords but in a more cost-effective way than traditional password-based schemes.
Abstract: In the era of computer systems, user authentication, both online and offline, is an unavoidable step for securing users’ privacy. Password-based authentication is popularly adopted for its simplicity in this context. In password-based authentication, a set of credentials (mostly username and password) is required to identify the unique user. But this method of authentication is vulnerable to inversion attack paradigm. In inversion attack, the adversary obtains the plaintext password by cracking the hashed value of the password. Honeyword-based authentication has been introduced to combat such attacks. In this strategy, certain dummy passwords or honeywords are saved along with the user’s original password. When an adversary tries to enter one of the honeywords to log into the system, an alarm message is sent to the authority via an auxiliary server called honeychecker. Although this technique is useful to address this type of security threat, the requirement of additional space to store the honeywords is still an overhead. Driven by these drawbacks, this work is aimed to propose a strategy which can serve the purpose of honeywords but in a more cost-effective way. In this technique, the concept of tokenization is utilized. Theoretical and experimental analyses have been done to assess the viability of the proposed scheme. A comparative study between the proposed scheme and honeyword-based authentication has been carried out based on required storage cost and resiliency against MSV attack. From our rigorous analysis, it is found that our scheme shows promising results in terms of other usability and security features as well.
References
More filters
TL;DR: A generative adversarial networks algorithm designed to solve the generative modeling problem and its applications in medicine, education and robotics are studied.
Abstract: Generative adversarial networks are a kind of artificial intelligence algorithm designed to solve the generative modeling problem. The goal of a generative model is to study a collection of training examples and learn the probability distribution that generated them. Generative Adversarial Networks (GANs) are then able to generate more examples from the estimated probability distribution. Generative models based on deep learning are common, but GANs are among the most successful generative models (especially in terms of their ability to generate realistic high-resolution images). GANs have been successfully applied to a wide variety of tasks (mostly in research settings) but continue to present unique challenges and research opportunities because they are based on game theory while most other approaches to generative modeling are based on optimization.
2,447 citations
17 May 2009
TL;DR: This paper discusses a new method that generates password structures in highest probability order by automatically creating a probabilistic context-free grammar based upon a training set of previously disclosed passwords, and then generating word-mangling rules to be used in password cracking.
Abstract: Choosing the most effective word-mangling rules to use when performing a dictionary-based password cracking attack can be a difficult task In this paper we discuss a new method that generates password structures in highest probability order We first automatically create a probabilistic context-free grammar based upon a training set of previously disclosed passwords This grammar then allows us to generate word-mangling rules, and from them, password guesses to be used in password cracking We will also show that this approach seems to provide a more effective way to crack passwords as compared to traditional methods by testing our tools and techniques on real password sets In one series of experiments, training on a set of disclosed passwords, our approach was able to crack 28% to 129% more passwords than John the Ripper, a publicly available standard password cracking program
491 citations
04 Nov 2013
TL;DR: It is proposed that an auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
Abstract: We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
264 citations
04 Oct 2010
TL;DR: This paper develops a framework by which an attacker can search for a user's new password from an old one, and designs an efficient algorithm to build an approximately optimal search strategy, which is used to measure the difficulty of breaking newly chosen passwords from old ones.
Abstract: This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.
189 citations
05 Jun 2019
TL;DR: HashCat and John the Ripper as mentioned in this paper can expand password dictionaries using password generation rules, such as concatenation of words (e.g., “password123456”) and leet speak.
Abstract: State-of-the-art password guessing tools, such as HashCat and John the Ripper, enable users to check billions of passwords per second against password hashes. In addition to performing straightforward dictionary attacks, these tools can expand password dictionaries using password generation rules, such as concatenation of words (e.g., “password123456”) and leet speak (e.g., “password” becomes “p4s5w0rd”). Although these rules work well in practice, creating and expanding them to model further passwords is a labor-intensive task that requires specialized expertise.
169 citations