Examination of a New Defense Mechanism: Honeywords

GENÇ, Ziya Alper; Kardaş, Süleyman; Kiraz

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Examination of a New Defense Mechanism: Honeywords

GENÇ, Ziya Alper; Kardaş, Süleyman; Kiraz

2017 • In Proceedings of the 11th WISTP International Conference on Information Security Theory and Practice

Peer reviewed

Permalink
https://hdl.handle.net/10993/33248

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

honeywords_wistp.pdf

Author postprint (435.71 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

passwords; cracking; honeywords; code modification

Abstract :

[en] Past experiences show us that password breach is still one of the main methods of attackers to obtain personal or sensitive user data. Basically, assuming they have access to list of hashed passwords, they apply guessing attacks, i.e., attempt to guess a password by trying a large number of possibilities. We certainly need to change our way of thinking and use a novel and creative approach in order to protect our passwords. In fact, there are already novel attempts to provide password protection. The Honeywords system of Juels and Rivest is one of them which provides a detection mechanism for password breaches. Roughly speaking, they propose a method for password-based authentication systems where fake passwords, i.e., "honeywords" are added into a password file, in order to detect impersonation. Their solution includes an auxiliary secure server called "honeychecker" which can distinguish a user's real password among her honeywords and immediately sets off an alarm whenever a honeyword is used. However, they also pointed out that their system needs to be improved in various ways by highlighting some open problems. In this paper, after revisiting the security of their proposal, we specifically focus on and aim to solve a highlighted open problem, i.e., active attacks where the adversary modifies the code running on either the login server or the honeychecker.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)

Disciplines :

Computer science

Author, co-author :

GENÇ, Ziya Alper ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Kardaş, Süleyman

Kiraz

External co-authors :

yes

Language :

English

Title :

Examination of a New Defense Mechanism: Honeywords

Publication date :

2017

Event name :

11th WISTP International Conference on Information Security Theory and Practice

Event date :

28-29 September 2017

Audience :

International

Main work title :

Proceedings of the 11th WISTP International Conference on Information Security Theory and Practice

Publisher :

Springer

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Available on ORBilu :

since 27 November 2017

Statistics

Number of views

185 (6 by Unilu)

Number of downloads

554 (6 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Burgess, M.: How to Check if Your Linkedin Account was Hacked, May 2016. http://www.wired.co.uk/article/linkedin-data-breach-find-out-included
Conklin, A., Dietrich, G., Walz, D.: Password-based authentication: a system perspective. In: Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS 2004)-Track 7, HICSS 2004-vol. 7, pp. 701–702. IEEE Computer Society, Washington, DC (2004)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on the World Wide Web. Association for Computing Machinery Inc. (2007)
Furnell, S., Dowland, P., Illingworth, H., Reynolds, P.: Authentication and supervision: a survey of user attitudes. Comput. Secur. 19, 529–539 (2000)
Gallagher, S.: Yahoo Admits It’s been Hacked Again, and 1 Billion Accounts were Exposed, December 2016. https://arstechnica.com/security/2016/12/yahoo-reveals-1-billion-more-accounts-exposed-and-some-code-may-have-been-stolen/
Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, vol. 38, pp. 145–160. ACM (2013)
Keane, J.: Security Researcher Dumps 427 Million Hacked Myspace Passwords Online, July 2016. https://www.digitaltrends.com/social-media/myspace-hack-password-dump/
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: IEEE Symposium on Security and Privacy, pp. 523–537 (2012)
Sagitta: Brutalis-GPU Compute Nodes. https://sagitta.pw/hardware/gpu-compute-nodes/brutalis/
Wang, D., Wang, P.: Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans. Depend. Secur. Comput. (2017). https://ieeexplore.ieee.org/document/7558124/
Wang, D., Gu, Q., Cheng, H., Wang, P.: The request for better measurement: a comparative evaluation of two-factor authentication schemes. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 475–486. ACM, New York (2016)
Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009, pp. 391–405. IEEE Computer Society, Washington, DC (2009)