scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Achieving Flatness: Honeywords Generation Method for Passwords based on user behaviours

01 Jan 2019-International Journal of Advanced Computer Science and Applications (The Science and Information (SAI) Organization Limited)-Vol. 10, Iss: 3
TL;DR: The authors introduce a simple and effective solution to the detection of password file disclosure events and suggest an alternative approach that selects the honeywords from existing user information, a generic password list, dictionary attack, and by shuffling the characters.
Abstract: Honeywords (decoy passwords) have been proposed to detect attacks against hashed password databases. For each user account, the original password is stored with many honeywords in order to thwart any adversary. The honeywords are selected deliberately such that a cyber-attacker who steals a file of hashed passwords cannot be sure, if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing the storage requirement by 24 times, the authors introduce a simple and effective solution to the detection of password file disclosure events. In this study, we scrutinise the honeyword system and highlight possible weak points. Also, we suggest an alternative approach that selects the honeywords from existing user information, a generic password list, dictionary attack, and by shuffling the characters. Four sets of honeywords are added to the system that resembles the real passwords, thereby achieving an extremely flat honeywords generation method. To measure the human behaviours in relation to trying to crack the password, a testbed engaged with by 820 people was created to determine the appropriate words for the traditional and proposed methods. The results show that under the new method it is harder to obtain any indication of the real password (high flatness) when compared with traditional approaches and the probability of choosing the real password is 1/k, where k = number of honeywords plus the real password.

Content maybe subject to copyright    Report

Citations
More filters
Proceedings Article
26 Mar 2014
TL;DR: This paper finds that Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state-of-the-art password model in recent research.
Abstract: A probabilistic password model assigns a probability value to each string. Such models are useful for research into understanding what makes users choose more (or less) secure passwords, and for constructing password strength meters and password cracking utilities. Guess number graphs generated from password models are a widely used method in password research. In this paper, we show that probability-threshold graphs have important advantages over guess-number graphs. They are much faster to compute, and at the same time provide information beyond what is feasible in guess-number graphs. We also observe that research in password modeling can benefit from the extensive literature in statistical language modeling. We conduct a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state-of-the-art password model in recent research.

16 citations

Journal ArticleDOI
01 Feb 2021
TL;DR: The proposed technique allows the user to keep the ease-of-use in the mouse motion, while minimizing the risk of password guessing, in a new password generation technique on the basis of mouse motion and a special case location recognized by the number of clicks.
Abstract: This paper proposes a new password generation technique on the basis of mouse motion and a special case location recognized by the number of clicks to protect sensitive data for different companies. Two, three special locations click points for the users has been proposed to increase password complexity. Unlike other currently available random password generators, the path and number of clicks will be added by admin, and authorized users have to be training on it. This method aims to increase combinations for the graphical password generation using mouse motion for a limited number of users. A mathematical model is developed to calculate the performance of the password. The proposed technique in this paper allows the user to keep the ease-of-use in the mouse motion, while minimizing the risk of password guessing. A comparative evaluation has been conducted against a traditional password. The results show that the proposed approach improves the complexity 200% for fix position technique and two variants technique but more than 200% for three variants technique.

3 citations


Cites background from "Achieving Flatness: Honeywords Gene..."

  • ...Introduction Currently, textual passwords remain to be the most extensively utilized user authentication scheme across multiple organizations but have well-known drawbacks in the aspects of both security and usability [1]....

    [...]

Journal ArticleDOI
TL;DR: This research has proved that every honeyword generation method has many weaknesses points.
Abstract: Abstract Honeyword system is a successful password cracking detection system. Simply the honeywords are (False passwords) that are accompanied to the sugarword (Real password). Honeyword system aims to improve the security of hashed passwords by facilitating the detection of password cracking. The password database will have many honeywords for every user in the system. If the adversary uses a honeyword for login, a silent alert will indicate that the password database might be compromised. All previous studies present a few remarks on honeyword generation methods for max two preceding methods only. So, the need for one that lists all preceding researches with their weaknesses is shown. This work presents all generation methods then lists the strengths and weaknesses of 26 ones. In addition, it puts 32 remarks that highlight their strengths and weaknesses points. This research has proved that every honeyword generation method has many weaknesses points.

2 citations

Proceedings ArticleDOI
01 Jan 2014
TL;DR: An improved authentication scheme supporting the Diffie-Hellman key exchange protocol using hash functions and the ElGamal cryptosystem is proposed, which overcomes the offline password guessing attack, man-in-the-middle attack and so on.
Abstract: Remote user authentication scheme has been widely adopted in the cyberworld to provide security and privacy because of various online threats and insecure communications. In the past few decades, many smart card-based authentication schemes are put forward. In such schemes, a user only need to maintain an identity and a password and employ a smart card to fulfill the authentication with a remote server. In 2014, Lee et al. put forward an authentication scheme using smart based on the hash function. However, we find that novel as it is, the scheme still has some severe security and performance weaknesses such as a verification table should stored in their scheme, it is easy to suffer the stolen verifier attack. Besides, it has the problem of synchronization between the server and users, failure of protecting users' anonymity and it is unfriendly to users since the inability of supporting changing the password freely. In this paper, we propose an improved authentication scheme supporting the Diffie-Hellman key exchange protocol using hash functions and the ElGamal cryptosystem. Besides the drawbacks in Lee et al.'s scheme, our proposed scheme overcomes the offline password guessing attack, man-in-the-middle attack and so on. At last, we show that our scheme is more suitable and secure for practical use.

1 citations

Journal ArticleDOI
TL;DR: This study will demonstrate numerous previous honeyword generating strategies, describe the proposed methodology, examine the experimental results, and compare the new honeyword production method to those proposed in previous research.
Abstract: : Honeywords are fake passwords that serve as an accompaniment to the real password, which is called a “sugarword.” The honeyword system is an effective password cracking detection system designed to easily detect password cracking in order to improve the security of hashed passwords. For every user, the password file of the honeyword system will have one real hashed password accompanied by numerous fake hashed passwords. If an intruder steals the password file from the system and successfully cracks the passwords while attempting to log in to users’ accounts, the honeyword system will detect this attempt through the honeychecker. A honeychecker is an auxiliary server that distinguishes the real password from the fake passwords and triggers an alarm if intruder signs in using a honeyword. Many honeyword generation approaches have been proposed by previous research, all with limitations to their honeyword generation processes, limited success in providing all required honeyword features, and susceptibility to many honeyword issues. This work will present a novel honeyword generation method that uses a proposed discrete salp swarm algorithm. The salp swarm algorithm (SSA) is a bio-inspired metaheuristic optimization algorithm that imitates the swarming behavior of salps in their natural environment. SSA has been used to solve a variety of optimization problems. The presented honeyword generation method will improve the generation process, improve honeyword features, and overcome the issues of previous techniques. This study will demonstrate numerous previous honeyword generating strategies, describe the proposed methodology, examine the experimental results, and compare the new honeyword production method to those proposed in previous research.
References
More filters
Proceedings ArticleDOI
20 May 2012
TL;DR: It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Abstract: We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.

711 citations


"Achieving Flatness: Honeywords Gene..." refers background in this paper

  • ...Basically, people prefer to create passwords according on their personal information, because of the limitation of their memory capacity and a random password can be difficult to remember [22]....

    [...]

Proceedings ArticleDOI
18 May 2014
TL;DR: In this paper, a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, when done correctly, they perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state of the art password model in recent research.
Abstract: A probabilistic password model assigns a probability value to each string. Such models are useful for research into understanding what makes users choose more (or less) secure passwords, and for constructing password strength meters and password cracking utilities. Guess number graphs generated from password models are a widely used method in password research. In this paper, we show that probability-threshold graphs have important advantages over guess-number graphs. They are much faster to compute, and at the same time provide information beyond what is feasible in guess-number graphs. We also observe that research in password modeling can benefit from the extensive literature in statistical language modeling. We conduct a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state-of-the-art password model in recent research.

248 citations

Journal ArticleDOI
TL;DR: A DoS attack detection system that uses multivariate correlation analysis (MCA) for accurate network traffic characterization by extracting the geometrical correlations between network traffic features by learning the patterns of legitimate network traffic only is presented.
Abstract: Interconnected systems, such as Web servers, database servers, cloud computing servers and so on, are now under threads from network attackers. As one of most common and aggressive means, denial-of-service (DoS) attacks cause serious impact on these computing systems. In this paper, we present a DoS attack detection system that uses multivariate correlation analysis (MCA) for accurate network traffic characterization by extracting the geometrical correlations between network traffic features. Our MCA-based DoS attack detection system employs the principle of anomaly based detection in attack recognition. This makes our solution capable of detecting known and unknown DoS attacks effectively by learning the patterns of legitimate network traffic only. Furthermore, a triangle-area-based technique is proposed to enhance and to speed up the process of MCA. The effectiveness of our proposed detection system is evaluated using KDD Cup 99 data set, and the influences of both non-normalized data and normalized data on the performance of the proposed detection system are examined. The results show that our system outperforms two other previously developed state-of-the-art approaches in terms of detection accuracy.

244 citations


"Achieving Flatness: Honeywords Gene..." refers methods in this paper

  • ...Another method is flooding the system with a huge amount of useless packets and as a consequence, the victim can be forced out of service for from a few minutes to several days [27]....

    [...]

Journal ArticleDOI
TL;DR: MobiFish is proposed, which is a novel automated lightweight antiphishing scheme for mobile platforms that verifies the validity of web pages, applications, and persistent accounts by comparing the actual identity to the claimed identity.
Abstract: Recent years have witnessed the increasing threat of phishing attacks on mobile computing platforms. In fact, mobile phishing is particularly dangerous due to the hardware limitations of mobile devices and the habits of mobile users. In this paper, we did a comprehensive study on the security vulnerabilities caused by mobile phishing attacks, including web page phishing attacks, application phishing attacks, and account registry phishing attacks. Existing schemes designed for web phishing attacks on personal computers (PCs) cannot effectively address the various phishing attacks on mobile devices. Hence, we propose MobiFish, which is a novel automated lightweight antiphishing scheme for mobile platforms. MobiFish verifies the validity of web pages, applications, and persistent accounts by comparing the actual identity to the claimed identity. MobiFish has been implemented on a Nexus 4 smartphone running the Android 4.2 operating system. We experimentally evaluate the performance of MobiFish with 100 phishing URLs and corresponding legitimate URLs, as well as phishing apps. The results show that MobiFish is very effective in detecting phishing attacks on mobile phones.

114 citations


"Achieving Flatness: Honeywords Gene..." refers background in this paper

  • ...The aim of phishing is to steal sensitive information, such as online banking passwords and credit card information from Internet users [18]....

    [...]

Journal ArticleDOI
TL;DR: An alternative approach is suggested that selects the honeywords from existing user passwords in the system in order to provide realistic honeywords-a perfectly flat honeyword generation method-and also to reduce storage cost of the honeyword scheme.
Abstract: Recently, Juels and Rivest proposed honeywords (decoy passwords) to detect attacks against hashed password databases. For each user account, the legitimate password is stored with several honeywords in order to sense impersonation. If honeywords are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing the storage requirement by 20 times, the authors introduce a simple and effective solution to the detection of password file disclosure events. In this study, we scrutinize the honeyword system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects the honeywords from existing user passwords in the system in order to provide realistic honeywords—a perfectly flat honeyword generation method—and also to reduce storage cost of the honeyword scheme.

74 citations


"Achieving Flatness: Honeywords Gene..." refers background in this paper

  • ...For example, an intruder may make reasonable guesses regarding the real password [25]....

    [...]

  • ...So, the adversary will easily identify the real password, if it is one of these generic passwords [25]....

    [...]

  • ...It can clearly be seen that the digits in the honeywords do not relate to a specific date and hence the correct password, alex1992, is logically deducible by an adversary [25]....

    [...]