Honeywords: making password-cracking detectable

We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

[1]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[3]  F. Cohen The Use of Deception Techniques : Honeypots and Decoys , 2004 .

[4]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[5]  Ross Anderson,et al.  Fortifying key negotiation schemes with poorly chosen passwords , 1994 .

[6]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[8]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[9]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[10]  Edwin Weiss,et al.  A user authentication scheme not requiring secrecy in the computer , 1974, Commun. ACM.

[11]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[13]  Claude Castelluccia,et al.  How Unique and Traceable Are Usernames? , 2011, PETS.

[14]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[15]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[16]  Jan Camenisch,et al.  Practical yet universally composable two-server password-authenticated secret sharing , 2012, CCS.

[17]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[18]  Marcus Bakker,et al.  GPU-based password cracking , 2011 .

[19]  George B. Purdy,et al.  A high security log-in procedure , 1974, Commun. ACM.

[20]  Sudhir Aggarwal,et al.  Building better passwords using probabilistic techniques , 2012, ACSAC '12.

[21]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[23]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[24]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[25]  Dan Boneh,et al.  Kamouflage: Loss-Resistant Password Management , 2010, ESORICS.

[26]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[27]  Dan S. Wallach,et al.  Strengthening user authentication through opportunistic cryptographic identity assertions , 2012, CCS.

[28]  Eugene H. Spafford,et al.  Observations on reusable password choices , 1992 .

[29]  Joseph Bonneau,et al.  Guessing human-chosen secrets , 2012 .

[30]  Bill Cheswick Rethinking passwords , 2013, CACM.