Abstract
Since systems using honeywords store a set of decoy passwords together with real passwords of users to confuse adversaries, they are strongly dependent on the algorithm for generating honeywords. However, all of the existing honeyword generating algorithms are based on raw passwords of users and they either need lots of storage space or show weaknesses in flatness or usability. This paper proposes HoneyHash, a new direction of generating honeywords - generating by transforming password hashes. Analyses show that our algorithm attains expected levels of flatness, security, performance and usability.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Gross, D.: 50 million compromised in Evernote hack. In: CNN (2013)
Gaylord, C.: LinkedIn, Last.fm, now Yahoo? Don’t ignore news of a password breach. In: Christian Science Monitor (2012)
Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: Sauth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 187–198. ACM (2013)
Cappos, J.: PolyPassHash: protecting passwords in the event of a password file disclosure. In: Password Hashing Competition (PHC) (2014)
Almeshekah, M.H., Gutierrez, C.N., Atallah, M.J., Spafford, E.H.: ErsatzPasswords: ending password cracking and detecting password leakage. In: Proceedings of ACSAC, pp. 311–320 (2015)
Juels, A., Rivest, R. L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 145–160. ACM (2013)
Cohen, F.: The use of deception techniques: honeypots and decoys. In: Bidgoli, H. (ed.) Handbook of Information Security, vol. 3, pp. 646–655 (2006)
Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_18
Erguler, I.: Achieving flatness: selecting the honeywords from existing user passwords. IEEE Trans. Depend. Secur. Comput. 13(2), 284–295 (2016)
Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. IEEE Secur. Privacy 481–498 (2016)
Chakraborty, N., Mondal, S.: Few notes towards making honeyword system more secure and usable. In: Proceedings of 8th International Conference Security and Information Network, pp. 237–245 (2015)
Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: Proceedings of ACM CCS, pp. 1230–1241 (2016)
Chakraborty, N., Mondal, S.: On designing a modified-UI based honeyword generation approach for overcoming the existing limitations. Comput. Secur. 66, 155–168 (2017)
Pasquini, C., Schöttle, P., Böhme, R.: Decoy password vaults: at least as hard as steganography? In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 356–370. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_24
Genç, Z.A., Kardaş, S., Kiraz, M.S.: Examination of a new defense mechanism: honeywords. In: Hancke, G., Damiani, E. (eds.) Information Security Theory and Practice. WISTP 2017. Lecture Notes in Computer Science, vol. 10741. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-93524-9_8
Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: NDSS (2018)
Gutierrez, C.N., Almeshekah, M.H., Bagchi, S., Spafford, E.H.: A hypergame analysis for Ersatzpasswords. In: Janczewski, L.J., Kutyłowski, M. (eds.) SEC 2018. IAICT, vol. 529, pp. 47–61. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99828-2_4
Akshima, C.D., Goel, A., Mishra, S., Sanadhya, S. K.: Generation of secure and reliable honeywords, preventing false detection. IEEE Trans. Depend. Secure Comput. 16(5), 757–769, (2019)
Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: Proceedings of ACM SIGSAC Conference on Computing Communication Security, pp. 1242–1254 (2016)
Choi, H., Nam, H., Hur, J.: Password typos resilience in honey encryption. In: Proceedings of IEEE 2017 ICOIN, pp. 594–598 (2017)
Karuna, P., Purohit, H., Ganesan, R., Jajodia, S.: Generating hard to comprehend fake documents for defensive cyber deception. IEEE Intell. Syst. 33(5), 16–25 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Shi, C., Sun, H. (2021). HoneyHash: Honeyword Generation Based on Transformed Hashes. In: Asplund, M., Nadjm-Tehrani, S. (eds) Secure IT Systems. NordSec 2020. Lecture Notes in Computer Science(), vol 12556. Springer, Cham. https://doi.org/10.1007/978-3-030-70852-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-70852-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-70851-1
Online ISBN: 978-3-030-70852-8
eBook Packages: Computer ScienceComputer Science (R0)