Abstract
It is natural for Internet users to use a password vault to encrypt and manage numerous passwords with a master password. Using one to rule all that is handy but attackers can focus on breaking the vault by brute-force attacking the master password. The honey password vault is proposed to handle the above security concern. It traps the attacker by generating a plausible decoy vault when decrypting the password vault with a “guessing” master password, such that it is hard for the attacker to obtain the real vault. Following the seminal work (S&P’15), many schemes have been proposed to counter advanced attacks, e.g., the Kullback-Leibler divergence attack (CCS’16), encoding attack (USENIX Security’19), and intersection attack (USENIX Security’21). But we find that they barely capture the security after the master password is reset. Once the reset is completed, the attacker can identify the decoy vault by decrypting and comparing the old and new versions of a password vault. To prove this, we propose a new master password guessing attack (MPGA) to break all the existing honey password vault schemes. Experimental results show that MPGA can easily distinguish real and decoy vaults with 99.12%–100.00% accuracy. We further design a secure master-password-updatable honey password vault scheme, named SMART, to resist MPGA. SMART guarantees that the MPGA attacker decrypts out similar decoy vaults from the old and new versions of a password vault. We demonstrate that SMART restricts the attack performance of the MPGA to 49.88% (close to the ideal value 50.00%).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To avoid ambiguity, hereafter, “reset” a master password, we mean a user updates or modifies the master password and we also note that this action could be fully or partially on the password based on the user’s habits.
- 2.
In this work, we only focus on the reset of master password, in which the plaintext password vault remains unchanged. Note we will also discuss the case where users modify proportions of the password vault in Appendix B.1.
References
1password: 1password security design. https://1passwordstatic.com/files/security/1password-white-paper.pdf
Bohuk, M.S., Islam, M., Ahmad, S., Swift, M., Ristenpart, T., Chatterjee, R.: Gossamer: securely measuring password-based logins. In: USENIX Security 2022, pp. 1867–1884 (2022)
Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_18
Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: IEEE S&P 2015, pp. 481–498 (2015)
Cheng, H., Li, W., Wang, P., Chu, C.H., Liang, K.: Incrementally updateable honey password vaults. In: USENIX Security 2021, pp. 857–874 (2021)
Cheng, H., Zheng, Z., Li, W., Wang, P., Chu, C.H.: Probability model transforming encoders against encoding attacks. In: USENIX Security 2019, pp. 1573–1590 (2019)
Enpass: Enpass security whitepaper. https://support.enpass.io/docs/security-whitepaper-enpass/index.html
Gasti, P., Rasmussen, K.B.: On the security of password manager database formats. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 770–787. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_44
Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: IEEE S&P 2017, pp. 251–267 (2017)
Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: ACM CCS 2016, pp. 1230–1241 (2016)
Golla, M., Dürmuth, M.: On the accuracy of password strength meters. In: ACM CCS 2018, pp. 1567–1582 (2018)
Google: Google chrome privacy whitepaper. https://www.google.com/chrome/privacy/whitepaper.html
Jaeger, J., Ristenpart, T., Tang, Q.: Honey encryption beyond message recovery security. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 758–788. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_29
Juels, A., Ristenpart, T.: Honey encryption: security beyond the Brute-Force bound. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 293–310. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_17
Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: ACM CCS 2013, pp. 145–160 (2013)
Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)
Lastpass: Lastpass technical whitepaper. https://support.lastpass.com/help/lastpass-technical-whitepaper
Lastpass: Master password policy. https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014
Mayer, P., Munyendo, C.W., Mazurek, M.L., Aviv, A.J.: Why users (don’t) use password managers at a large educational institution. In: USENIX Security 2022, pp. 1849–1866 (2022)
Pal, B., Daniel, T., Chatterjee, R., Ristenpart, T.: Beyond credential stuffing: Password similarity models using neural networks. In: IEEE S&P 2019, pp. 417–434 (2019)
Ray, H., Wolf, F., Kuber, R., Aviv, A.J.: Why older adults (don’t) use password managers. In: USENIX Security 2021, pp. 73–90 (2021)
Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: USENIX Security 2012, pp. 65–80 (2012)
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: ACM CCS 2016, pp. 1242–1254 (2016)
Wang, D., Zou, Y., Dong, Q., Song, Y., Huang, X.: How to attack and generate honeywords. In: IEEE S&P 2022, pp. 489–506 (2022)
Weir, M., Aggarwal, S., De Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: IEEE S&P 2009, pp. 391–405 (2009)
Yujian, L., Bo, L.: A normalized Levenshtein distance metric. IEEE Trans. Pattern Anal. Mach. Intell. 29(6), 1091–1095 (2007)
Acknowledgements
We would like to thank the anonymous reviewers for their insightful comments and valuable suggestions. This work was supported in part by the National Key Research and Development Program of China under Grant No. 2021YFB3101304, in part by the National Natural Science Foundation of China under Grant No. 62272186 and No. 62372201.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Honey Password Vaults
The concept of decoy vaults comes from Bojinov et al.’s password vault Kamouflage [3]. However, their scheme is based on a static amount (e.g., 1,000) of decoy vaults pre-generated and is incompatible with the honey encryption (HE) [13, 14] scheme. In this work, we deal with HE-based schemes, e.g., [4,5,6, 10]. HE encodes the vault to the bit string called seed through DTE and then encrypts the seed to ciphertext using PBE. DTE consists of an encoder and a decoder. At the encoding stage, encode passwords in a vault to obtain the bit string s called the seed. Then, the string s is encrypted with the master password in the PBE scheme. In the encrypting process, HE derives a key \(K = K\!D\!F(mpw, sa)\), where sa is the generated uniform salt, and mpw is the master password. Here, \(K\!D\!F\) is a password-based key derivation function with \(S\!H\!A\text {-}256\). Then, encrypt s using AES in CTR-mode with key K and generate the ciphertext C. The decryption works reversely as compared to the above process. Take the master password as input from the user, then derive K as the decryption key. Then, decrypt the C with the K and decode the decrypted s to the plaintext password vault. Existing honey password vault schemes store passwords in the form of ciphertext through the HE scheme. The metadata (i.e., Domain, Username, Computer-generated, Password position) in the password vault is stored in plaintext. The computer-generated passwords are encoded into uniformly distributed seed. In contrast, the user-generated passwords are encoded by the DTE. In this work, we only focus on user-generated passwords. The existing popular password vault systems can remind users to reset the passwords that may have been leaked. To update the vault, incrementally add the updated password to the end of the vault and modify the password position. If the master password is reset, the old vault will be “re-encrypted” accordingly.
B Extended Evaluations
1.1 B.1 MPGA’s Performance on Updated Vault
We test the security of honey password vault schemes against a hybrid attack where the master password and the vault (i.e., the passwords stored in the vault) are updated simultaneously. The process of resetting the master password is relatively straightforward from the user’s perspective. The user only needs to authenticate once to do so. However, updating the passwords in the vault is complicated, as each password corresponds to a different website policy, and the user has to execute various authentication steps. In addition, since the user probably cannot update the entire password vault (i.e., all the passwords) at the same time, the vault service provider may back up multiple historical versions of the vault. Hence, the attacker could obtain multi-leakage versions.
We choose the vaults with size \( M \ge 10 \) from Pastebin. Then, we randomly shuffle the passwords in each vault and denote the last \( ur\in \{ 20.00\%, 40.00\%, 60.00\%, 80.00\%, 100.00\% \}\) password as the newly added passwords. In the old version of a vault, we remove the last ur of passwords. We use this simplified approach to simulate the old and new versions of a vault after the user updates both the master password and the vault (i.e., all the passwords). The candidate list size \(N \in \{10, 100, 1000, 10000 \}\). Given the old/new plaintext password vaults \(v^{\text {o}}, v^{\text {n}}\), the priority function \(p_{H\!A}(v^{\text {o}}, v^{\text {n}})\) of the hybrid attack is equal to 1 if \(v^\text {o}\) is the same as \(v^\text {n}\) except for the update passwords; otherwise, the \(p_{H\!A}(v^{\text {o}}, v^{\text {n}})\) is equal to 0. We have
As shown in Fig. 5, the accuracy of the hybrid attack can reach 100.00%, when the update rate is \(<80.00\%\). If the rate is \(>80.00\%\), the accuracy reduces accordingly, and the attack fails when there is a 100.00% update. Note that the user cannot update the entire password vault at the same time. Moreover, every modification cannot update too many passwords. The hybrid attack is effective if the difference rate between the old and new versions is less than 80%. We state that our SMART is resistant to the hybrid attack, and the accuracy rate remains at 50.00% after various vault updates, see Table 4.
1.2 B.2 Experimental Parameters Evaluation
In this evaluation, we randomly select \(90.00\%\) of passwords from the Yahoo dataset as the training set to train the DTE and the other \(10.00\%\) as the real password vault. In the real password vault, we set up the same size \(M \in \{10, 100, 1000, 10000\}\). The experiments on Gmail follow the same settings. In Fig. 6, we show the accuracy of the four attacks (i.e., KL divergence attack, encoding attack, intersection attack, and MPGA) by increasing the number of passwords in the vault. MPGA maintains 100.00% accuracy against previous schemes (i.e., Chatterjee-PCFG, Golla-Markov, and Cheng-IUV). SMART still has great resistance to above attacks. We also see that different password datasets produce similar results, and the vault size has a minor effect on the results.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Rao, T., Su, Y., Xu, P., Zheng, Y., Wang, W., Jin, H. (2024). You Reset I Attack! A Master Password Guessing Attack Against Honey Password Vaults. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14346. Springer, Cham. https://doi.org/10.1007/978-3-031-51479-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-51479-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51478-4
Online ISBN: 978-3-031-51479-1
eBook Packages: Computer ScienceComputer Science (R0)