Generation of Secure and Reliable Honeywords, Preventing False Detection
TL;DR: This work proposes new and more practical honeyword generation techniques, which achieve ‘approximate flatness’, implying that the honeywords generated using these techniques are indistinguishable from passwords with high probability, and proposes a new attack model called ‘Multiple System Intersection attack considering Input’.
Abstract: Breach in password databases has been a frequent phenomena in the software industry. Often these breaches go undetected for years. Sometimes, even the companies involved are not aware of the breach. Even after they are detected, publicizing such attacks might not always be in the best interest of the companies. This calls for a strong breach detection mechanism. Juels et al. (in ACM-CCS 2013) suggest a method called ‘Honeywords’, for detecting password database breaches. Their idea is to generate multiple fake passwords, called honeywords and store them along with the real password. Any login attempt with honeywords is identified as a compromise of the password database, since legitimate users are not expected to know the honeywords corresponding to their passwords. The key components of their idea are (i) generation of honeywords, (ii) typo-safety measures for preventing false alarms, (iii) alarm policy upon detection, and (iv) testing robustness of the system against various attacks. In this work, we analyze the limitations of existing honeyword generation techniques. We propose a new attack model called ‘Multiple System Intersection attack considering Input’. We show that the ‘Paired Distance Protocol’ proposed by Chakraborty et al., is not secure in this attack model. We also propose new and more practical honeyword generation techniques and call them the ‘evolving-password model’, the ‘user-profile model’, and the ‘append-secret model’. These techniques achieve ‘approximate flatness’, implying that the honeywords generated using these techniques are indistinguishable from passwords with high probability. Our proposed techniques overcome most of the risks and limitations associated with existing techniques. We prove flatness of our ‘evolving-password model’ technique through experimental analysis. We provide a comparison of our proposed models with the existing ones under various attack models to justify our claims.
Citations
More filters
TL;DR: This study proposes a “matching attack” model and finds that although Erguler's honeyword system can achieve perfect flatness, the success rate of the attacker is 100% under matching attack, and proposes a new honeyword approach named Superword that isolates the direct relationship between username and the corresponding hashed password in password files.
Abstract: Generating honeywords for each user’s account is an effective way to detect whether password databases are compromised. However, there are several underlying security issues associated with honeyword techniques that need to be addressed, for example, (1) How to make it more difficult for an attacker to find an accurate match of “username-real password”? (2) How to prevent the intersection attack in multiple systems caused by password reuse without reducing usability? (3) How to reduce the success rate of targeted password guessing? In this study, we first propose a “matching attack” model and find that although Erguler’s honeyword system can achieve perfect flatness, the success rate of the attacker is 100% under matching attack. Secondly, we propose a new honeyword approach named Superword that isolates the direct relationship between username and the corresponding hashed password in password files. Additional honeypots are mixed with real accounts to detect online guessing attacks. The analysis reveals that our approach makes a matching attacker difficult to find a real password from N password hashes. Since there is no connection between the username and password in password files, our honeyword system also alleviates the multiple systems intersection attack and targeted password guessing.
15 citations
01 May 2022
TL;DR: This work proposes four theoretic models for characterizing the attacker $\mathcal{A}$’s best distinguishing strategies, and develops the corresponding honeyword-generation method for each type of attackers, by using various representative probabilistic password guessing models.
Abstract: Honeywords are decoy passwords associated with each user account to timely detect password leakage. The key issue lies in how to generate honeywords that are hard to be differentiated from real passwords. This security mechanism was first introduced by Juels and Rivest at CCS’13, and has been covered by hundreds of media and adopted in dozens of research domains. Existing research deals with honeywords primarily in an ad hoc manner, and it is challenging to develop a secure honeyword-generation method and well evaluate (attack) it. In this work, we tackle this problem in a principled approach. We first propose four theoretic models for characterizing the attacker $\mathcal{A}$’s best distinguishing strategies, with each model based on a different combination of information available to $\mathcal{A}$ (e.g., public datasets, the victim’s personal information and registration order). These theories guide us to design effective experiments with real-world password datasets to evaluate the goodness (flatness) of a given honeyword-generation method.Armed with the four best attacking theories, we develop the corresponding honeyword-generation method for each type of attackers, by using various representative probabilistic password guessing models. Through a series of exploratory investigations, we show the use of these password models is not straightforward, but requires creative and significant efforts. Both empirical experiments and user-study results demonstrate that our methods significantly outperform prior art. Besides, we manage to resolve several previously unexplored challenges that arise in the practical deployment of a honeyword method. We believe this work pushes the honeyword research towards statistical rigor.
11 citations
TL;DR: Wang et al. as discussed by the authors proposed a method to protect the hashed passwords by using topological graphic sequences, which works effectively even if the password file is leaked by using graphic labeling.
Abstract: In this paper, we propose a method to protect the hashed passwords by using topological graphic sequences This method works effectively even if the password file is leaked First, the user password is divided based on its length Then the processed string and the topological graphic sequence are operated for obtaining the real decoy honeywords In this way, a flatness honeywords generation method is generated Since every password seems unrealistic, the hacker who steals the hashed password file cannot distinguish between the real passwords and the honeywords If he uses the honeywords for login, the system will know that it is the intruder’s attack, and then the service provider (SP) can take security measures Finally, several typical attack methods are analyzed to verify the effectiveness of our scheme We use the topological graph to generate the honeywords, which is the first application of graphic labeling in the honeywords generation
6 citations
01 Jul 2020
TL;DR: This work empirically examine the flatness of the proposed honeywords generation strategy against Top Password (Top-PW) attack using real-world datasets, instead of only providing heuristic security arguments.
Abstract: The legacy-UI honeywords generation approach is more favored due to its high usability compared to the modified-UI approach that sometimes becomes unusable in practice. However, several prior arts on legacy-UI based honeywords generation methods often fail to obtain the security standard, especially the flatness criterion. In this work, we propose two legacy-UI honeywords generation strategies based on two password guessing methods: PassGAN and Probabilistic Context-Free Grammar (PCFG). Besides, we also introduce two hybrid strategies by combining PassGAN, PCFG, and random-based methods. We empirically examine the flatness of the proposed honeywords generation strategy against Top Password (Top-PW) attack using real-world datasets, instead of only providing heuristic security arguments. The experiment results show that three of the proposed methods (the PassGAN-based and the two hybrid methods) have lower flatness value than all previous legacy-UI methods and able to meet the "perfectly flat" criterion.
4 citations
Cites methods from "Generation of Secure and Reliable H..."
...[7], [10]–[12]) that only evaluate the flatness of their methods using heuristic security arguments....
[...]
23 Nov 2020
TL;DR: In this article, a new direction of generating honeywords - generating by transforming password hashes - is proposed, which attains expected levels of flatness, security, performance and usability. But, it does not have the ability to generate a set of decoy passwords together with real passwords.
Abstract: Since systems using honeywords store a set of decoy passwords together with real passwords of users to confuse adversaries, they are strongly dependent on the algorithm for generating honeywords. However, all of the existing honeyword generating algorithms are based on raw passwords of users and they either need lots of storage space or show weaknesses in flatness or usability. This paper proposes HoneyHash, a new direction of generating honeywords - generating by transforming password hashes. Analyses show that our algorithm attains expected levels of flatness, security, performance and usability.
3 citations
References
More filters
24 Oct 2016
TL;DR: TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker, is proposed to design novel and efficient guessing algorithms.
Abstract: While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small. We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I~IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.
304 citations
"Generation of Secure and Reliable H..." refers background in this paper
...related to user profile as mentioned in [26]....
[...]
...Another work on targeted user password guessing [26] leverages the tendency that majority of population uses personal details for choosing password....
[...]
04 Nov 2013
TL;DR: It is proposed that an auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
Abstract: We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
264 citations
"Generation of Secure and Reliable H..." refers background or methods in this paper
...Tweaking [6] < 1=k weak no yes no no yes...
[...]
...2 OVERVIEW OF THE HONEYWORDS TECHNIQUE [6]...
[...]
...In [6], the authors have illustrated several flat or approximately flat Genðk; piÞ procedures that are discussed in Section 4....
[...]
...Take-a-tail [6] PDP [16] Append-sectret [this work]...
[...]
...Therefore, the Honeywords technique [6] is a significant contribution towards detecting breaches of the password database....
[...]
14 Jul 2010
TL;DR: It is concluded that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability, and those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.
Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.
163 citations
20 Sep 2010
TL;DR: Kamouflage as discussed by the authors is a new architecture for building theft-resistant password managers, which is well suited to become a standard architecture for password managers on mobile devices and is implemented as a replacement for the built-in Firefox password manager.
Abstract: We introduce Kamouflage: a new architecture for building theft-resistant password managers. An attacker who steals a laptop or cell phone with a Kamouflage-based password manager is forced to carry out a considerable amount of online work before obtaining any user credentials. We implemented our proposal as a replacement for the built-in Firefox password manager, and provide performance measurements and the results from experiments with large real-world password sets to evaluate the feasibility and effectiveness of our approach. Kamouflage is well suited to become a standard architecture for password managers on mobile devices.
126 citations
02 Apr 2005
TL;DR: A longitudinal study of mini-QWERTY keyboard use, examining the learning rates of novice mini- QWERTY users is presented, and MacKenzie and Soukoreff's model of two-thumb text entry is discussed.
Abstract: We present a longitudinal study of mini-QWERTY keyboard use, examining the learning rates of novice mini-QWERTY users. The study consists of 20 twenty-minute typing sessions using two different-sized keyboard models. Subjects average over 31 words per minute (WPM) for the first session and increase to an average of 60 WPM by the twentieth. Individual subjects also exceed the upper bound of 60.74 WPM suggested by MacKenzie and Soukoreff's model of two-thumb text entry [5]. We discuss our results in the context of this model.
95 citations
"Generation of Secure and Reliable H..." refers methods in this paper
...According to an analysis given in [23], the error patterns in mini-QWERTY keyboard show the rate of human errors as: ‘Substitution’ errors - 40....
[...]