Paper 2014/323

Some Remarks on Honeyword Based Password-Cracking Detection

Imran Erguler

Abstract

Recently, Juels and Rivest proposed honeywords (decoy pass- words) to detect attacks against hashed password databases. For each user account, the legitimate password is stored with several honeywords in order to sense impersonation. If honeywords are selected properly, an adversary who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing storage requirement by 20 times, the authors introduce a simple and effective solution to detection of password file disclosure events. In this study, we scrutinize the honeyword system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects honeywords from existing user passwords in the system to provide realistic honeywords – a perfectly flat honeyword generation method – and also to reduce storage cost of the honeyword scheme.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
authenticationpassword securityhoneywords
Contact author(s)
imran erguler @ tubitak gov tr
History
2014-05-08: received
Short URL
https://ia.cr/2014/323
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/323,
      author = {Imran Erguler},
      title = {Some Remarks on Honeyword Based Password-Cracking Detection},
      howpublished = {Cryptology ePrint Archive, Paper 2014/323},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/323}},
      url = {https://eprint.iacr.org/2014/323}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.