You Reset I Attack! A Master Password Guessing Attack Against Honey Password Vaults

Abstract

It is natural for Internet users to use a password vault to encrypt and manage numerous passwords with a master password. Using one to rule all that is handy but attackers can focus on breaking the vault by brute-force attacking the master password. The honey password vault is proposed to handle the above security concern. It traps the attacker by generating a plausible decoy vault when decrypting the password vault with a “guessing” master password, such that it is hard for the attacker to obtain the real vault. Following the seminal work (S&P’15), many schemes have been proposed to counter advanced attacks, e.g., the Kullback-Leibler divergence attack (CCS’16), encoding attack (USENIX Security’19), and intersection attack (USENIX Security’21). But we find that they barely capture the security after the master password is reset. Once the reset is completed, the attacker can identify the decoy vault by decrypting and comparing the old and new versions of a password vault. To prove this, we propose a new master password guessing attack (MPGA) to break all the existing honey password vault schemes. Experimental results show that MPGA can easily distinguish real and decoy vaults with 99.12%–100.00% accuracy. We further design a secure master-password-updatable honey password vault scheme, named SMART, to resist MPGA. SMART guarantees that the MPGA attacker decrypts out similar decoy vaults from the old and new versions of a password vault. We demonstrate that SMART restricts the attack performance of the MPGA to 49.88% (close to the ideal value 50.00%).

Appendices

A Honey Password Vaults

The concept of decoy vaults comes from Bojinov et al.’s password vault Kamouflage [3]. However, their scheme is based on a static amount (e.g., 1,000) of decoy vaults pre-generated and is incompatible with the honey encryption (HE) [13, 14] scheme. In this work, we deal with HE-based schemes, e.g., [4,5,6, 10]. HE encodes the vault to the bit string called seed through DTE and then encrypts the seed to ciphertext using PBE. DTE consists of an encoder and a decoder. At the encoding stage, encode passwords in a vault to obtain the bit string s called the seed. Then, the string s is encrypted with the master password in the PBE scheme. In the encrypting process, HE derives a key \(K = K\!D\!F(mpw, sa)\), where sa is the generated uniform salt, and mpw is the master password. Here, \(K\!D\!F\) is a password-based key derivation function with \(S\!H\!A\text {-}256\). Then, encrypt s using AES in CTR-mode with key K and generate the ciphertext C. The decryption works reversely as compared to the above process. Take the master password as input from the user, then derive K as the decryption key. Then, decrypt the C with the K and decode the decrypted s to the plaintext password vault. Existing honey password vault schemes store passwords in the form of ciphertext through the HE scheme. The metadata (i.e., Domain, Username, Computer-generated, Password position) in the password vault is stored in plaintext. The computer-generated passwords are encoded into uniformly distributed seed. In contrast, the user-generated passwords are encoded by the DTE. In this work, we only focus on user-generated passwords. The existing popular password vault systems can remind users to reset the passwords that may have been leaked. To update the vault, incrementally add the updated password to the end of the vault and modify the password position. If the master password is reset, the old vault will be “re-encrypted” accordingly.

B Extended Evaluations

1.1 B.1 MPGA’s Performance on Updated Vault

We test the security of honey password vault schemes against a hybrid attack where the master password and the vault (i.e., the passwords stored in the vault) are updated simultaneously. The process of resetting the master password is relatively straightforward from the user’s perspective. The user only needs to authenticate once to do so. However, updating the passwords in the vault is complicated, as each password corresponds to a different website policy, and the user has to execute various authentication steps. In addition, since the user probably cannot update the entire password vault (i.e., all the passwords) at the same time, the vault service provider may back up multiple historical versions of the vault. Hence, the attacker could obtain multi-leakage versions.

Fig. 5.

Performance: hybrid attack on honey password vault schemes under the update rate \( ur\in \{ 20.00\%, 40.00\%, 60.00\%, 80.00\%, 100.00\% \}\). The candidate list size \(N \in \{10, 100, 1000, 10000 \}\).

We choose the vaults with size \( M \ge 10 \) from Pastebin. Then, we randomly shuffle the passwords in each vault and denote the last \( ur\in \{ 20.00\%, 40.00\%, 60.00\%, 80.00\%, 100.00\% \}\) password as the newly added passwords. In the old version of a vault, we remove the last ur of passwords. We use this simplified approach to simulate the old and new versions of a vault after the user updates both the master password and the vault (i.e., all the passwords). The candidate list size \(N \in \{10, 100, 1000, 10000 \}\). Given the old/new plaintext password vaults \(v^{\text {o}}, v^{\text {n}}\), the priority function \(p_{H\!A}(v^{\text {o}}, v^{\text {n}})\) of the hybrid attack is equal to 1 if \(v^\text {o}\) is the same as \(v^\text {n}\) except for the update passwords; otherwise, the \(p_{H\!A}(v^{\text {o}}, v^{\text {n}})\) is equal to 0. We have

$$\begin{aligned} \begin{aligned} p_{H\!A}(v^{\text {o}}, v^{\text {n}}) = \left\{ \begin{array}{ll} 1 , &{} v^{\text {o}} \text { is the front part of } v^{\text {n}},\\ 0 , &{} \text {otherwise}. \end{array} \right. \end{aligned} \end{aligned}$$

As shown in Fig. 5, the accuracy of the hybrid attack can reach 100.00%, when the update rate is \(<80.00\%\). If the rate is \(>80.00\%\), the accuracy reduces accordingly, and the attack fails when there is a 100.00% update. Note that the user cannot update the entire password vault at the same time. Moreover, every modification cannot update too many passwords. The hybrid attack is effective if the difference rate between the old and new versions is less than 80%. We state that our SMART is resistant to the hybrid attack, and the accuracy rate remains at 50.00% after various vault updates, see Table 4.

Table 4. Performance: hybrid attack on our scheme under the update rate \( ur\in \{ 20.00\%, 40.00\%,\) \(60.00\%, 80.00\%, 100.00\% \}\). We set the candidate list size \(N = 1,000\).

Fig. 6.

Evaluation: attacking different vault sizes \(M \in \{10, 100, 1000, 10000\}\) of honey password vaults, and the candidate size \(N = 1,000\). We used the leaked password datasets Yahoo (subfig. a–d) and Gmail (subfig. e–h) to train DTEs.

1.2 B.2 Experimental Parameters Evaluation

In this evaluation, we randomly select \(90.00\%\) of passwords from the Yahoo dataset as the training set to train the DTE and the other \(10.00\%\) as the real password vault. In the real password vault, we set up the same size \(M \in \{10, 100, 1000, 10000\}\). The experiments on Gmail follow the same settings. In Fig. 6, we show the accuracy of the four attacks (i.e., KL divergence attack, encoding attack, intersection attack, and MPGA) by increasing the number of passwords in the vault. MPGA maintains 100.00% accuracy against previous schemes (i.e., Chatterjee-PCFG, Golla-Markov, and Cheng-IUV). SMART still has great resistance to above attacks. We also see that different password datasets produce similar results, and the vault size has a minor effect on the results.