ABSTRACT
Traditionally the passwords are stored in hashed format. However, if the password file is compromised then by using the brute force attack there is a high chance that the original passwords can be leaked. False passwords -- also known as honeywords, are used to protect the original passwords from such leak. A good honeyword system is dependent on effective honeyword generation techniques. In this paper, the risk and limitations of some of the existing honeyword generation techniques have been identified as different notes. Three concepts -- modified tails, close number formation and caps key are introduced to address the existing issues. The experimental analysis shows that the proposed techniques with some preprocessing can protect high percentage of passwords. Finally a comparative analysis is presented to show how the proposed approaches stand with respect to the existing honeyword generation approaches.
- https://wiki.skullsecurity.org/Passwords. Last Accessed: 2015-06-26.Google Scholar
- H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: Loss-resistant password management. In Computer Security--ESORICS 2010, pages 286--302. Springer, 2010. Google ScholarDigital Library
- M. Burnett. 10000 top passwords. https://xato.net/passwords/more-top-worst-passwords/#.VEzgQyKUc10. Last Accessed: 2015-04-20.Google Scholar
- M. Burnett. The pathetic reality of adobe password hints. http://xato.net/windows-security/adobe-password-hints. Last Accessed: 2015-04-20.Google Scholar
- N. Chakraborty and S. Mondal. Tag digit based honeypot to detect shoulder surfing attack. In Security in Computing and Communications, pages 101--110. Springer, 2014.Google ScholarCross Ref
- F. Cohen. The use of deception techniques: Honeypots and decoys. Handbook of Information Security, 3: 646--655, 2006.Google Scholar
- S. Ewalt. 60 percent of user passwords are less than 5 characters long. http://insight.equifax.com/60-percent-of-user-passwords-are-less-than-5-characters-long/. Last Accessed: 2015-06-26.Google Scholar
- C. Gaylord. Linkedin, last. fm, now yahoo? don't ignore news of a password breach. Christian Science Monitor, 13, 2012.Google Scholar
- D. Gross. 50 million compromised in evernote hack. CNN, March 2013.Google Scholar
- D. P. Jablon. Extended password key exchange protocols immune to dictionary attack. In Enabling Technologies: Infrastructure for Collaborative Enterprises, 1997. Proceedings., Sixth IEEE Workshops on, pages 248--255. IEEE, 1997. Google ScholarDigital Library
- A. Juels and R. L. Rivest. Honeywords: Making password-cracking detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 145--160. ACM, 2013. Google ScholarDigital Library
- P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 523--537. IEEE, 2012. Google ScholarDigital Library
- M. Weir, S. Aggarwal, B. De Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In Security and Privacy, 2009 30th IEEE Symposium on, pages 391--405. IEEE, 2009. Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. The memorability and security of passwords: some empirical results. Technical Report-University Of Cambridge Computer Laboratory, page 1, 2000.Google Scholar
Index Terms
Few notes towards making honeyword system more secure and usable
Recommendations
HoneyGen: Generating Honeywords Using Representation Learning
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications SecurityHoneywords are false passwords injected in a database for detecting password leakage. Generating honeywords is a challenging problem due to the various assumptions about the adversary's knowledge as well as users' password-selection behaviour. The ...
A Proposal for Honeyword Generation via Meerkat Clan Algorithm
AbstractAn effective password cracking detection system is the honeyword system. The Honeyword method attempts to increase the security of hashed passwords by making password cracking easier to detect. Each user in the system has many honeywords in the ...
Comments