Skip to main content
SpringerLink
Log in

Honey, I Chunked the Passwords: Generating Semantic Honeywords Resistant to Targeted Attacks Using Pre-trained Language Models

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13959))

Abstract

Honeywords are fictitious passwords inserted into databases in order to identify password breaches. The major challenge is producing honeywords that are difficult to distinguish from real passwords. Although the generation of honeywords has been widely investigated in the past, the majority of existing research assumes attackers have no knowledge of the users. These honeyword generating techniques (HGTs) may utterly fail if attackers exploit users’ personal identifiable information (PII) and the real passwords include users’ PII. The literature has demonstrated that password guessing is more effective when focusing on each of the chunks that compose a password (e.g., “P@ssword123” contains two chunks: “P@ssword” and “123”) and it has been suggested that, when available, PII should be used to generate honeywords. We thus leverage these findings to base our HGT method on any possible PII contained within passwords, and introduce a new, and more robust than its literature counterparts, method to generate honeywords, which consists of generating honeywords with GPT-3 using the semantic chunks of their corresponding real passwords.

Furthermore, we propose a new metric, HWSimilarity, to evaluate the capability of HGTs. HWSimilarity is a pre-trained language model-based similarity metric that considers the semantic meaning of passwords when measuring the indistinguishability of honeywords and their counterparts. Comparing our chunk-level GPT-3 HGT to two state-of-the-art HGTs and using GPT-3 alone, we show that our HGT can generate honeywords that are more indistinguishable than its counterparts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Source code: https://github.com/HumanMachineLab/Chunk-GPT3.

  2. 2.

    1.4 Billion Clear Text Credentials Discovered in a Single Database: https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14.

References

  1. IBM security: Cost of a data breach report 2021 (2021). https://www.ibm.com/security/data-breach. Accessed 01 Jan 2022

  2. Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_18

    Chapter  Google Scholar 

  3. Bonneau, J., Herley, C., Oorschot, P.C.V., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (S &P), pp. 553–567 (2012). https://doi.org/10.1109/SP.2012.44

  4. Brown, T., et al.: Language models are few-shot learners. In: Advances in Neural Information Processing Systems, vol. 33, pp. 1877–1901. Curran Associates, Inc. (2020). https://proceedings.neurips.cc/paper_files/paper/2020/file/1457c0d6bfcb4967418bfb8ac142f64a-Paper.pdf

  5. Camenisch, J., Lehmann, A., Neven, G.: Optimal distributed password verification. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS ’15, pp. 182–194. Association for Computing Machinery, New York, NY, USA (2015). https://doi.org/10.1145/2810103.2813722

  6. Chen, M., et al.: Evaluating large language models trained on code. arXiv preprint arXiv:2107.03374 (2021)

  7. Chintagunta, B., Katariya, N., Amatriain, X., Kannan, A.: Medically aware GPT-3 as a data generator for medical dialogue summarization. In: Proceedings of the Second Workshop on Natural Language Processing for Medical Conversations, pp. 66–76. Association for Computational Linguistics, Online, June 2021). https://doi.org/10.18653/v1/2021.nlpmc-1.9

  8. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. In: Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers), pp. 4171–4186. Association for Computational Linguistics, Minneapolis, Minnesota, June 2019. https://doi.org/10.18653/v1/N19-1423

  9. Dionysiou, A., Vassiliades, V., Athanasopoulos, E.: HoneyGen: generating honeywords using representation learning. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. ASIA CCS ’21, pp. 265–279. Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3433210.3453092

  10. Guo, Y., Zhang, Z., Guo, Y.: Superword: a honeyword system for achieving higher security goals. Comput. Secur. 103, 101689 (2021). https://doi.org/10.1016/j.cose.2019.101689

    Article  Google Scholar 

  11. Jagadeesh, N., Vargas Martin, M.: Alice in passphraseland: assessing the memorability of familiar vocabularies for system-assigned passphrases (2021). https://doi.org/10.48550/ARXIV.2112.03359

  12. Joudaki, Z., Thorpe, J., Vargas Martin, M.: Reinforcing system-assigned passphrases through implicit learning. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. CCS ’18, pp. 1533–1548. Association for Computing Machinery, New York, NY, USA (2018). https://doi.org/10.1145/3243734.3243764

  13. Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. CCS ’13, pp. 145–160. Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2508859.2516671

  14. Kojima, T., Gu, S.S., Reid, M., Matsuo, Y., Iwasawa, Y.: Large language models are zero-shot reasoners. arXiv preprint arXiv:2205.11916 (2022)

  15. Liu, P., Yuan, W., Fu, J., Jiang, Z., Hayashi, H., Neubig, G.: Pre-train, prompt, and predict: a systematic survey of prompting methods in natural language processing. ACM Comput. Surv. 55(9) (2023). https://doi.org/10.1145/3560815

  16. Liu, Y., et al.: RoBERTa: a robustly optimized BERT pretraining approach. arXiv preprint arXiv:1907.11692 (2019)

  17. Pasquini, D., Gangwal, A., Ateniese, G., Bernaschi, M., Conti, M.: Improving password guessing via representation learning. In: 2021 IEEE Symposium on Security and Privacy (S &P, pp. 1382–1399 (2021). https://doi.org/10.1109/SP40001.2021.00016

  18. Radford, A., Wu, J., Child, R., Luan, D., Amodei, D., Sutskever, I.: Language models are unsupervised multitask learners (2018). https://d4mucfpksywv.cloudfront.net/better-language-models/language-models.pdf

  19. Ramesh, A., et al.: Zero-shot text-to-image generation. In: International Conference on Machine Learning, pp. 8821–8831. PMLR (2021)

    Google Scholar 

  20. Ratha, N.K., Connell, J.H., Bolle, R.M.: Enhancing security and privacy in biometrics-based authentication systems. IBM Syst. J. 40(3), 614–634 (2001)

    Article  Google Scholar 

  21. Reynolds, L., McDonell, K.: Prompt programming for large language models: beyond the few-shot paradigm. In: Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems. CHI EA ’21, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3411763.3451760

  22. Roche, T., Lomné, V., Mutschler, C., Imbert, L.: A side journey to Titan. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 231–248. USENIX Association, August 2021. https://www.usenix.org/conference/usenixsecurity21/presentation/roche

  23. Song, K., Tan, X., Qin, T., Lu, J., Liu, T.Y.: MPNet: masked and permuted pre-training for language understanding. In: Advances in Neural Information Processing Systems, vol. 33, pp. 16857–16867. Curran Associates, Inc. (2020). https://proceedings.neurips.cc/paper_files/paper/2020/file/c3a690be93aa602ee2dc0ccab5b7b67e-Paper.pdf

  24. Tan, J., Bauer, L., Christin, N., Cranor, L.F.: Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements. CCS ’20, pp. 1407–1426. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3372297.3417882

  25. Thomas, K., et al.: Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS ’17, pp. 1421–1434. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3133956.3134067

  26. Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Network and Distributed System Security (NDSS) Symposium 2018, pp. 1–16, October 2018. https://doi.org/10.14722/ndss.2018.12345

  27. Wang, D., Wang, P., He, D., Tian, Y.: Birthday, name and bifacial-security: understanding passwords of Chinese web users. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1537–1555. USENIX Association, Santa Clara, CA, August 2019. https://www.usenix.org/conference/usenixsecurity19/presentation/wang-ding

  28. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS ’16, pp. 1242–1254. Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2976749.2978339

  29. Wang, D., Zou, Y., Dong, Q., Song, Y., Huang, X.: How to attack and generate honeywords. In: 2022 IEEE Symposium on Security and Privacy (S &P), pp. 966–983 (2022). https://doi.org/10.1109/SP46214.2022.9833598

  30. Weir, M., Aggarwal, S., Medeiros, B.d., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 30th IEEE Symposium on Security and Privacy (S &P), pp. 391–405 (2009). https://doi.org/10.1109/SP.2009.8

  31. Wheeler, D.L.: zxcvbn: Low-budget password strength estimation. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 157–173. USENIX Association, Austin, TX, August 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler

  32. Xu, M., Wang, C., Yu, J., Zhang, J., Zhang, K., Han, W.: Chunk-level password guessing: towards modeling refined password composition representations. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. CCS ’21, pp. 5–20. Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3460120.3484743

  33. Yang, Z., Dai, Z., Yang, Y., Carbonell, J., Salakhutdinov, R.R., Le, Q.V.: XLNet: generalized autoregressive pretraining for language understanding. In: Advances in Neural Information Processing Systems, vol. 32. Curran Associates, Inc. (2019). https://proceedings.neurips.cc/paper_files/paper/2019/file/dc6a7e655d7e5840e66733e9ee67cc69-Paper.pdf

  34. Yu, F.: Raising the bar for password crackers: improving the quality of honeywords with deep neural networks. Master’s thesis, Ontario Tech University, Oshawa, Canada (2022). https://ir.library.ontariotechu.ca/bitstream/handle/10155/1593/Yu_Fangyi.pdf?sequence=1 &isAllowed=y

  35. Yu, F., Vargas Martin, M.: GNPassGAN: improved generative adversarial networks for trawling offline password guessing. In: 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 10–18 (2022). https://doi.org/10.1109/EuroSPW55150.2022.00009

  36. Yu, F., Vargas Martin, M.: HoneyGAN: creating indistinguishable honeywords with improved generative adversarial networks. In: Lenzini, G., Meng, W. (eds.) STM 2022. LNCS, vol. 13867, pp. 189–198. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-29504-1_11

Download references

Acknowledgement

The authors thank the assigned shepherd and anonymous reviewers for their valuable comments that improved the quality of the paper. We acknowledge the support of the Natural Sciences and Engineering Research Council of Canada (NSERC), funding reference number RGPIN-2018-05919.

Author information

Authors and Affiliations

  1. Ontario Tech University, Oshawa, ON, L1G 0C5, Canada

    Fangyi Yu & Miguel Vargas Martin

Authors
  1. Fangyi Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Miguel Vargas Martin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Fangyi Yu or Miguel Vargas Martin .

Editor information

Editors and Affiliations

  1. Graz University of Technology, Graz, Austria

    Daniel Gruss

  2. AWS Italy, Milan, Italy

    Federico Maggi

  3. Universität Hamburg, Hamburg, Germany

    Mathias Fischer

  4. Politecnico di Milano, Milan, Italy

    Michele Carminati

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yu, F., Martin, M.V. (2023). Honey, I Chunked the Passwords: Generating Semantic Honeywords Resistant to Targeted Attacks Using Pre-trained Language Models. In: Gruss, D., Maggi, F., Fischer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2023. Lecture Notes in Computer Science, vol 13959. Springer, Cham. https://doi.org/10.1007/978-3-031-35504-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35504-2_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35503-5

  • Online ISBN: 978-3-031-35504-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation