scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Toward Developing a Password Breach Detection Technique for Serving the Purpose of Honeywords

30 Dec 2022-
TL;DR: In this article , the authors proposed a tokenization-based authentication scheme, which can serve the purpose of honeywords but in a more cost-effective way than traditional password-based schemes.
Abstract: In the era of computer systems, user authentication, both online and offline, is an unavoidable step for securing users’ privacy. Password-based authentication is popularly adopted for its simplicity in this context. In password-based authentication, a set of credentials (mostly username and password) is required to identify the unique user. But this method of authentication is vulnerable to inversion attack paradigm. In inversion attack, the adversary obtains the plaintext password by cracking the hashed value of the password. Honeyword-based authentication has been introduced to combat such attacks. In this strategy, certain dummy passwords or honeywords are saved along with the user’s original password. When an adversary tries to enter one of the honeywords to log into the system, an alarm message is sent to the authority via an auxiliary server called honeychecker. Although this technique is useful to address this type of security threat, the requirement of additional space to store the honeywords is still an overhead. Driven by these drawbacks, this work is aimed to propose a strategy which can serve the purpose of honeywords but in a more cost-effective way. In this technique, the concept of tokenization is utilized. Theoretical and experimental analyses have been done to assess the viability of the proposed scheme. A comparative study between the proposed scheme and honeyword-based authentication has been carried out based on required storage cost and resiliency against MSV attack. From our rigorous analysis, it is found that our scheme shows promising results in terms of other usability and security features as well.
References
More filters
Proceedings ArticleDOI
04 Nov 2013
TL;DR: It is proposed that an auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
Abstract: We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

264 citations

Proceedings ArticleDOI
18 May 2014
TL;DR: In this paper, a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, when done correctly, they perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state of the art password model in recent research.
Abstract: A probabilistic password model assigns a probability value to each string. Such models are useful for research into understanding what makes users choose more (or less) secure passwords, and for constructing password strength meters and password cracking utilities. Guess number graphs generated from password models are a widely used method in password research. In this paper, we show that probability-threshold graphs have important advantages over guess-number graphs. They are much faster to compute, and at the same time provide information beyond what is feasible in guess-number graphs. We also observe that research in password modeling can benefit from the extensive literature in statistical language modeling. We conduct a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model proposed in Weir et al., which has been used as the state-of-the-art password model in recent research.

248 citations

Proceedings ArticleDOI
08 Sep 2015
TL;DR: Three concepts -- modified tails, close number formation and caps key are introduced to address the existing issues and the experimental analysis shows that the proposed techniques with some preprocessing can protect high percentage of passwords.
Abstract: Traditionally the passwords are stored in hashed format. However, if the password file is compromised then by using the brute force attack there is a high chance that the original passwords can be leaked. False passwords -- also known as honeywords, are used to protect the original passwords from such leak. A good honeyword system is dependent on effective honeyword generation techniques. In this paper, the risk and limitations of some of the existing honeyword generation techniques have been identified as different notes. Three concepts -- modified tails, close number formation and caps key are introduced to address the existing issues. The experimental analysis shows that the proposed techniques with some preprocessing can protect high percentage of passwords. Finally a comparative analysis is presented to show how the proposed approaches stand with respect to the existing honeyword generation approaches.

15 citations

Proceedings ArticleDOI
24 May 2021
TL;DR: In this article, the authors propose HoneyGen, a practical and highly robust HGT that produces realistic looking honeywords by leveraging representation learning techniques to learn useful and explanatory representations from a massive collection of unstructured data, i.e., each operator's password database.
Abstract: Honeywords are false passwords injected in a database for detecting password leakage. Generating honeywords is a challenging problem due to the various assumptions about the adversary's knowledge as well as users' password-selection behaviour. The success of a Honeywords Generation Technique (HGT) lies on the resulting honeywords; the method fails if an adversary can easily distinguish the real password. In this paper, we propose HoneyGen, a practical and highly robust HGT that produces realistic looking honeywords. We do this by leveraging representation learning techniques to learn useful and explanatory representations from a massive collection of unstructured data, i.e., each operator's password database. We perform both a quantitative and qualitative evaluation of our framework using the state-of-the-art metrics. Our results suggest that HoneyGen generates high-quality honeywords that cause sophisticated attackers to achieve low distinguishing success rates.

12 citations

Journal ArticleDOI
TL;DR: This paper has proposed few directions to minimize the storage cost of some of the existing honeyword generation approaches and has even found that in some cases no additional storage overhead is required.

12 citations