Abstract
Honeywords (decoy passwords) have been proposed to detect attacks against hashed password databases. For each user account, the original password is stored with many honeywords in order to thwart any adversary. The honeywords are selected deliberately such that a cyber-attacker who steals a file of hashed passwords cannot be sure, if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing the storage requirement by 24 times, the authors introduce a simple and effective solution to the detection of password file disclosure events. In this study, we scrutinise the honeyword system and highlight possible weak points. Also, we suggest an alternative approach that selects the honeywords from existing user information, a generic password list, dictionary attack, and by shuffling the characters. Four sets of honeywords are added to the system that resembles the real passwords, thereby achieving an extremely flat honeywords generation method. To measure the human behaviours in relation to trying to crack the password, a testbed engaged with by 820 people was created to determine the appropriate words for the traditional and proposed methods. The results show that under the new method it is harder to obtain any indication of the real password (high flatness) when compared with traditional approaches and the probability of choosing the real password is 1/k, where k = number of honeywords plus the real password.
Highlights
When any user wants to access a network for security purposes, he or she is prompted to enter credentials [1]
The flatness is very high because the honeywords are coming from real passwords lists, some of which are related to the user, some are chosen from the dictionary attack, and the final set is selected from the public list of passwords (1/15)
The flatness is very high, because the honeywords are coming from real passwords lists, some of which are related to the user, some are chosen from the dictionary attack and the final set is selected from the public list of passwords (1/15)
Summary
When any user wants to access a network for security purposes, he or she is prompted to enter credentials [1]. It has become important to make progress in combatting cracking techniques [3] Since these are becoming increasingly sophisticated, has become a salient issue [4]. Most people choose to use a single password for multiple accounts, because one is easy to remember. The idea behind honeywords is to create a relation between the real password and decoy hashed passwords, such that for every user the latter look like real passwords. An attacker can recognise the presence of honeywords in a password file, as it is very unusual to have multiple passwords for a single user account. Even if the attacker can crack multiple passwords associated with a user, he or she does not know which are honeywords, and which are the real ones [8]. There are some problems regarding this, which are discussed later in this paper and a new generation method will be proposed to overcome these
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: International Journal of Advanced Computer Science and Applications
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
