[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2508859.2516671acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Honeywords: making password-cracking detectable

Published: 04 November 2013 Publication History

Abstract

We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

References

[1]
A. Evans, Jr., W. Kantrowitz, and E. Weiss. A user authentication scheme not requiring secrecy in the computer. Commun. ACM, 17(8):437--442, August 1974.
[2]
R. J. Anderson and T.M.A. Lomas. On fortifying key negotiation schemes with poorly chosen passwords. Electronics Letters, 30(13):1040--1041, 1994.
[3]
M. Bakker and R. van der Jagt. GPU-based password cracking. Technical report, Univ. of Amsterdam, 2010.
[4]
T. A. Berson, L. Gong, and T.M.A. Lomas. Secure, keyed, and collisionful hash functions. Technical Report SRI-CSL-94-08, SRI International Laboratory, 1993 (revised 2 Sept. 1994).
[5]
L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your contacts are belong to us: automated identity theft attacks on social networks. In WWW, pages 551--560, 2009.
[6]
H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: loss-resistant password management. In ESORICS, pages 286--302, 2010.
[7]
J. Bonneau. Guessing human-chosen secrets. PhD thesis, University of Cambridge, May 2012.
[8]
J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security and Privacy, pages 538--552, 2012.
[9]
J. Bonneau and S. Preibusch. The password thicket: technical and market failures in human authentication on the web. In Workshop on the Economics of Information Security (WEIS), 2010.
[10]
B. M. Bowen, S. Hershkop, A. D. Keromytis, and S. J. Stolfo. Baiting inside attackers using decoy documents. In SecureComm, pages 51--70, 2009.
[11]
J. Brainard, A. Juels, B. Kaliski, and M. Szydlo. A new two-server approach for authentication with short secrets. In USENIX Security, pages 201--214, 2003.
[12]
J. Camenisch, A. Lysyanskaya, and G. Neven. Practical yet universally composable two-server password-authenticated secret sharing. In ACM CCS, pages 525--536, 2012.
[13]
William Cheswick. Rethinking passwords. Comm. ACM, 56(2):40--44, Feb. 2013.
[14]
F. Cohen. The use of deception techniques: Honeypots and decoys. In H. Bidgoli, editor, Handbook of Information Security, volume 3, pages 646--655. Wiley and Sons, 2006.
[15]
EMC Corp. RSA Distributed Credential Protection. http://www.emc.com/security/rsa-distributed-credential-protection.htm, 2013.
[16]
A. Czeskis, M. Dietz, T. Kohno, D. Wallach, and D. Balfanz. Strengthening user authentication through opportunistic cryptographic identity assertions. In ACM CCS, pages 404--414, 2012.
[17]
Defense Information Systems Agency (DISA) for the Department of Defense (DoD). Application security and development: Security technical implementation guide (STIG), version 3 release 4, 28 October 2011.
[18]
A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In SOUPS, pages 1--12, 2008.
[19]
C. Gaylord. LinkedIn, Last.fm, now Yahoo? don't ignore news of a password breach. Christian Science Monitor, 13 July 2012.
[20]
D. Gross. 50 million compromised in Evernote hack. CNN, 4 March 2013.
[21]
C. Herley and P. Van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28--36, 2012.
[22]
S. Houshmand and S. Aggarwal. Building better passwords using probabilistic techniques. In ACSAC, pages 109--118, 2012.
[23]
P.G. Kelley, S. Komanduri, M.L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L.F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE Symposium on Security and Privacy (SP), pages 523--537, 2012.
[24]
O. Kharif. Innovator: Ramesh Kesanupalli's biometric passwords stored on devices. Bloomberg Businessweek, 28 March 2013.
[25]
Microsoft TechNet Library. Password must meet complexity requirements. Referenced March 2012 at http://bit.ly/YAsGiZ.
[26]
R. Morris and K. Thompson. Password security: a case history. Commun. ACM, 22(11):594--597, November 1979.
[27]
A. Narayanan and V. Shmatikov. De-anonymizing social networks. In IEEE Symposium on Security and Privacy (SP), pages 173--187, 2009.
[28]
U.S. House of Representatives. H.R. 624: The Cyber Intelligence Sharing and Protection Act of 2013. 113th Cong., 2013.
[29]
B.-A. Parnell. LinkedIn admits site hack, adds pinch of salt to passwords. The Register, 7 June 2012.
[30]
I. Paul. Update: LinkedIn confirms account passwords hacked. PC World, 6 June 2012.
[31]
D. Perito, C. Castelluccia, M. A. Kaafar, and P. Manils. How unique and traceable are usernames? In Privacy Enhancing Technologies, pages 1--17, 2011.
[32]
N. Perlroth. Hackers in China attacked The Times for last 4 months. New York Times, page A1, 31 January 2013.
[33]
G. B. Purdy. A high security log-in procedure. Commun. ACM, 17(8):442--445, August 1974.
[34]
Shrisha Rao. Data and system security with failwords. U.S. Patent Application US2006/0161786A1, U.S. Patent Office, July 20, 2006. http://www.google.com/patents/US20060161786.
[35]
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J.C. Mitchell. Stronger password authentication using browser extensions. In USENIX Security, 2005.
[36]
S. Schechter, A. J. B. Brush, and S. Egelman. It's no secret. measuring the security and reliability of authentication "secret" questions. In IEEE Symposium on Security and Privacy (SP), pages 375--390, 2009.
[37]
S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In USENIX HotSec, pages 1--8, 2010.
[38]
E. Spafford. Observations on reusable password choices. In USENIX Security, 1992.
[39]
L. Spitzner. Honeytokens: The other honeypot. Symantec SecurityFocus, July 2003.
[40]
T. Wadhwa. Why your next phone will include fingerprint, facial, and voice recognition. Forbes, 29 March 2013.
[41]
M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In IEEE Symposium on Security and Privacy (SP), pages 162--175, 2009.
[42]
J. Yuill, M. Zappe, D. Denning, and F. Feer. Honeyfiles: deceptive files for intrusion detection. In Information Assurance Workshop, pages 116--122, 2004.
[43]
Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In ACM CCS, pages 176--186, 2010.

Cited By

View all
  • (2024)Act as a Honeytoken Generator! An Investigation into Honeytoken Generation with Large Language ModelsProceedings of the 11th ACM Workshop on Adaptive and Autonomous Cyber Defense10.1145/3689935.3690394(1-12)Online publication date: 11-Nov-2024
  • (2024)Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based QuestionnairesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678897(317-336)Online publication date: 30-Sep-2024
  • (2024)A Practical and Provably Secure Authentication and Key Agreement Scheme for UAV-Assisted VANETs for Emergency RescueIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.332397211:2(1454-1468)Online publication date: Mar-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. authentication
  2. chaffing
  3. honeywords
  4. login
  5. password cracking
  6. password hashes
  7. passwords

Qualifiers

  • Research-article

Conference

CCS'13
Sponsor:

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)215
  • Downloads (Last 6 weeks)12
Reflects downloads up to 30 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Act as a Honeytoken Generator! An Investigation into Honeytoken Generation with Large Language ModelsProceedings of the 11th ACM Workshop on Adaptive and Autonomous Cyber Defense10.1145/3689935.3690394(1-12)Online publication date: 11-Nov-2024
  • (2024)Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based QuestionnairesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678897(317-336)Online publication date: 30-Sep-2024
  • (2024)A Practical and Provably Secure Authentication and Key Agreement Scheme for UAV-Assisted VANETs for Emergency RescueIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.332397211:2(1454-1468)Online publication date: Mar-2024
  • (2024)Practical and Secure Password Authentication and Key-Agreement-Scheme-Based Dual Server for IoT Devices in 5G NetworkIEEE Internet of Things Journal10.1109/JIOT.2024.340771411:21(34639-34651)Online publication date: 1-Nov-2024
  • (2024)Generation of Believable Fake Logic Circuits for Cyber Deception2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10426938(13-18)Online publication date: 3-Jan-2024
  • (2024)Automated Detection of Masquerade Attacks with AI and Decoy Documents2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778670(1-6)Online publication date: 28-Oct-2024
  • (2024)Generation and deployment of honeytokens in relational databases for cyber deceptionComputers & Security10.1016/j.cose.2024.104032146(104032)Online publication date: Nov-2024
  • (2024)A Comprehensive Survey on Cyber Deception Techniques to Improve Honeypot PerformanceComputers & Security10.1016/j.cose.2024.103792(103792)Online publication date: Mar-2024
  • (2024)ChatGPT, Machine Learning and AI Killed My Password. Building Next Generation Authentication SystemsHCI International 2024 – Late Breaking Posters10.1007/978-3-031-78516-0_36(332-340)Online publication date: 30-Dec-2024
  • (2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media