research-article

Honeywords: making password-cracking detectable

Authors:

Ronald L. RivestAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 145 - 160

https://doi.org/10.1145/2508859.2516671

Published: 04 November 2013 Publication History

Abstract

We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

References

[1]

A. Evans, Jr., W. Kantrowitz, and E. Weiss. A user authentication scheme not requiring secrecy in the computer. Commun. ACM, 17(8):437--442, August 1974.

Digital Library

[2]

R. J. Anderson and T.M.A. Lomas. On fortifying key negotiation schemes with poorly chosen passwords. Electronics Letters, 30(13):1040--1041, 1994.

[3]

M. Bakker and R. van der Jagt. GPU-based password cracking. Technical report, Univ. of Amsterdam, 2010.

[4]

T. A. Berson, L. Gong, and T.M.A. Lomas. Secure, keyed, and collisionful hash functions. Technical Report SRI-CSL-94-08, SRI International Laboratory, 1993 (revised 2 Sept. 1994).

[5]

L. Bilge, T. Strufe, D. Balzarotti, and E. Kirda. All your contacts are belong to us: automated identity theft attacks on social networks. In WWW, pages 551--560, 2009.

Digital Library

[6]

H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: loss-resistant password management. In ESORICS, pages 286--302, 2010.

Digital Library

[7]

J. Bonneau. Guessing human-chosen secrets. PhD thesis, University of Cambridge, May 2012.

[8]

J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security and Privacy, pages 538--552, 2012.

Digital Library

[9]

J. Bonneau and S. Preibusch. The password thicket: technical and market failures in human authentication on the web. In Workshop on the Economics of Information Security (WEIS), 2010.

[10]

B. M. Bowen, S. Hershkop, A. D. Keromytis, and S. J. Stolfo. Baiting inside attackers using decoy documents. In SecureComm, pages 51--70, 2009.

[11]

J. Brainard, A. Juels, B. Kaliski, and M. Szydlo. A new two-server approach for authentication with short secrets. In USENIX Security, pages 201--214, 2003.

Digital Library

[12]

J. Camenisch, A. Lysyanskaya, and G. Neven. Practical yet universally composable two-server password-authenticated secret sharing. In ACM CCS, pages 525--536, 2012.

Digital Library

[13]

William Cheswick. Rethinking passwords. Comm. ACM, 56(2):40--44, Feb. 2013.

Digital Library

[14]

F. Cohen. The use of deception techniques: Honeypots and decoys. In H. Bidgoli, editor, Handbook of Information Security, volume 3, pages 646--655. Wiley and Sons, 2006.

[15]

EMC Corp. RSA Distributed Credential Protection. http://www.emc.com/security/rsa-distributed-credential-protection.htm, 2013.

[16]

A. Czeskis, M. Dietz, T. Kohno, D. Wallach, and D. Balfanz. Strengthening user authentication through opportunistic cryptographic identity assertions. In ACM CCS, pages 404--414, 2012.

Digital Library

[17]

Defense Information Systems Agency (DISA) for the Department of Defense (DoD). Application security and development: Security technical implementation guide (STIG), version 3 release 4, 28 October 2011.

[18]

A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In SOUPS, pages 1--12, 2008.

Digital Library

[19]

C. Gaylord. LinkedIn, Last.fm, now Yahoo? don't ignore news of a password breach. Christian Science Monitor, 13 July 2012.

[20]

D. Gross. 50 million compromised in Evernote hack. CNN, 4 March 2013.

[21]

C. Herley and P. Van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28--36, 2012.

Digital Library

[22]

S. Houshmand and S. Aggarwal. Building better passwords using probabilistic techniques. In ACSAC, pages 109--118, 2012.

Digital Library

[23]

P.G. Kelley, S. Komanduri, M.L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L.F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE Symposium on Security and Privacy (SP), pages 523--537, 2012.

Digital Library

[24]

O. Kharif. Innovator: Ramesh Kesanupalli's biometric passwords stored on devices. Bloomberg Businessweek, 28 March 2013.

[25]

Microsoft TechNet Library. Password must meet complexity requirements. Referenced March 2012 at http://bit.ly/YAsGiZ.

[26]

R. Morris and K. Thompson. Password security: a case history. Commun. ACM, 22(11):594--597, November 1979.

Digital Library

[27]

A. Narayanan and V. Shmatikov. De-anonymizing social networks. In IEEE Symposium on Security and Privacy (SP), pages 173--187, 2009.

Digital Library

[28]

U.S. House of Representatives. H.R. 624: The Cyber Intelligence Sharing and Protection Act of 2013. 113th Cong., 2013.

[29]

B.-A. Parnell. LinkedIn admits site hack, adds pinch of salt to passwords. The Register, 7 June 2012.

[30]

I. Paul. Update: LinkedIn confirms account passwords hacked. PC World, 6 June 2012.

[31]

D. Perito, C. Castelluccia, M. A. Kaafar, and P. Manils. How unique and traceable are usernames? In Privacy Enhancing Technologies, pages 1--17, 2011.

Digital Library

[32]

N. Perlroth. Hackers in China attacked The Times for last 4 months. New York Times, page A1, 31 January 2013.

[33]

G. B. Purdy. A high security log-in procedure. Commun. ACM, 17(8):442--445, August 1974.

Digital Library

[34]

Shrisha Rao. Data and system security with failwords. U.S. Patent Application US2006/0161786A1, U.S. Patent Office, July 20, 2006. http://www.google.com/patents/US20060161786.

[35]

B. Ross, C. Jackson, N. Miyake, D. Boneh, and J.C. Mitchell. Stronger password authentication using browser extensions. In USENIX Security, 2005.

Digital Library

[36]

S. Schechter, A. J. B. Brush, and S. Egelman. It's no secret. measuring the security and reliability of authentication "secret" questions. In IEEE Symposium on Security and Privacy (SP), pages 375--390, 2009.

Digital Library

[37]

S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In USENIX HotSec, pages 1--8, 2010.

Digital Library

[38]

E. Spafford. Observations on reusable password choices. In USENIX Security, 1992.

[39]

L. Spitzner. Honeytokens: The other honeypot. Symantec SecurityFocus, July 2003.

[40]

T. Wadhwa. Why your next phone will include fingerprint, facial, and voice recognition. Forbes, 29 March 2013.

[41]

M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In IEEE Symposium on Security and Privacy (SP), pages 162--175, 2009.

Digital Library

[42]

J. Yuill, M. Zappe, D. Denning, and F. Feer. Honeyfiles: deceptive files for intrusion detection. In Information Assurance Workshop, pages 116--122, 2004.

[43]

Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In ACM CCS, pages 176--186, 2010.

Digital Library

Cited By

Reti DBecker NAngeli TChattopadhyay ASchneider DVollmer SSchotten HGong NLi Q(2024)Act as a Honeytoken Generator! An Investigation into Honeytoken Generation with Large Language ModelsProceedings of the 11th ACM Workshop on Adaptive and Autonomous Cyber Defense10.1145/3689935.3690394(1-12)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3689935.3690394
Kahlhofer MAchleitner SRass SMayrhofer R(2024)Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based QuestionnairesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678897(317-336)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678897
Cui JLiu XZhong HZhang JWei LBolodurina IHe D(2024)A Practical and Provably Secure Authentication and Key Agreement Scheme for UAV-Assisted VANETs for Emergency RescueIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.332397211:2(1454-1468)Online publication date: Mar-2024
https://doi.org/10.1109/TNSE.2023.3323972
Show More Cited By

Index Terms

Honeywords: making password-cracking detectable
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

ErsatzPasswords: Ending Password Cracking and Detecting Password Leakage
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically ...
SIGCHI Outstanding Dissertation Award -- Supporting Password Decisions with Data
CHI EA '18: Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems

Abstract Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers [1, 9] or make other decisions (e.g., ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies

After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

179
Total Citations
View Citations
3,216
Total Downloads

Downloads (Last 12 months)215
Downloads (Last 6 weeks)15

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Reti DBecker NAngeli TChattopadhyay ASchneider DVollmer SSchotten HGong NLi Q(2024)Act as a Honeytoken Generator! An Investigation into Honeytoken Generation with Large Language ModelsProceedings of the 11th ACM Workshop on Adaptive and Autonomous Cyber Defense10.1145/3689935.3690394(1-12)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3689935.3690394
Kahlhofer MAchleitner SRass SMayrhofer R(2024)Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based QuestionnairesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678897(317-336)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678897
Cui JLiu XZhong HZhang JWei LBolodurina IHe D(2024)A Practical and Provably Secure Authentication and Key Agreement Scheme for UAV-Assisted VANETs for Emergency RescueIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.332397211:2(1454-1468)Online publication date: Mar-2024
https://doi.org/10.1109/TNSE.2023.3323972
Zhang SLiu YGao TXie YZhou C(2024)Practical and Secure Password Authentication and Key-Agreement-Scheme-Based Dual Server for IoT Devices in 5G NetworkIEEE Internet of Things Journal10.1109/JIOT.2024.340771411:21(34639-34651)Online publication date: 1-Nov-2024
https://doi.org/10.1109/JIOT.2024.3407714
Prabhaker NBopche GMishra AArock M(2024)Generation of Believable Fake Logic Circuits for Cyber Deception2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10426938(13-18)Online publication date: 3-Jan-2024
https://doi.org/10.1109/COMSNETS59351.2024.10426938
Berdychowski MSalinas Monroy S(2024)Automated Detection of Masquerade Attacks with AI and Decoy Documents2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778670(1-6)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778670
Prabhaker NBopche GArock M(2024)Generation and deployment of honeytokens in relational databases for cyber deceptionComputers & Security10.1016/j.cose.2024.104032146(104032)Online publication date: Nov-2024
https://doi.org/10.1016/j.cose.2024.104032
Javadpour AJa'fari FTaleb TShojafar MBenzaïd C(2024)A Comprehensive Survey on Cyber Deception Techniques to Improve Honeypot PerformanceComputers & Security10.1016/j.cose.2024.103792(103792)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2024.103792
Tsouvalas BNikiforakis N(2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_15
Rao TSu YXu PZheng YWang WJin H(2024)You Reset I Attack! A Master Password Guessing Attack Against Honey Password VaultsComputer Security – ESORICS 202310.1007/978-3-031-51479-1_8(141-161)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_8
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents