Examination of a New Defense Mechanism: Honeywords

Past experiences show us that password breach is still one of the main methods of attackers to obtain personal or sensitive user data. Basically, assuming they have access to list of hashed passwords, they apply guessing attacks, i.e., attempt to guess a password by trying a large number of possibilities. We certainly need to change our way of thinking and use a novel and creative approach in order to protect our passwords. In fact, there are already novel attempts to provide password protection. The Honeywords system of Juels and Rivest is one of them which provides a detection mechanism for password breaches. Roughly speaking, they propose a method for password-based authentication systems where fake passwords, i.e., “honeywords” are added into a password file, in order to detect impersonation. Their solution includes an auxiliary secure server called “honeychecker” which can distinguish a user’s real password among her honeywords and immediately sets off an alarm whenever a honeyword is used. However, they also pointed out that their system needs to be improved in various ways by highlighting some open problems. In this paper, after revisiting the security of their proposal, we specifically focus on and aim to solve a highlighted open problem, i.e., active attacks where the adversary modifies the code running on either the login server or the honeychecker.

[1]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Peter G. Neumann,et al.  Risks of passwords , 1994, CACM.

[3]  Hung-Min Sun,et al.  oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks , 2012, IEEE Transactions on Information Forensics and Security.

[4]  Joseph Bonneau,et al.  Guessing human-chosen secrets , 2012 .

[5]  Marianne Loock,et al.  Characteristics and responsibilities involved in a Phishing attack , 2005 .

[6]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[7]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[8]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[9]  Dan Boneh,et al.  Kamouflage: Loss-Resistant Password Management , 2010, ESORICS.

[10]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Wm. Arthur Conklin,et al.  Password-based authentication: a system perspective , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[12]  Steven Furnell,et al.  Authentication and Supervision: A Survey of User Attitudes , 2000, Comput. Secur..

[13]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  Jacques Erasmus Malware Attacks: Anatomy of a malware attack , 2009 .

[15]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.