Paper 2013/696

Examination of a New Defense Mechanism: Honeywords

Ziya Alper Genc, Suleyman Kardas, and Mehmet Sabir Kiraz

Abstract

It has become much easier to crack a password hash with the advancements in the graphicalprocessing unit (GPU) technology. An adversary can recover a user’s password using brute-force attack on password hash. Once the password has been recovered no server can detect any illegitimate user authentication (if there is no extra mechanism used). In this context, recently, Juels and Rivest published a paper for improving the security of hashed passwords. Roughly speaking, they propose an approach for user authentication, in which some false passwords, i.e., “honeywords” are added into a password file, in order to detect impersonation. Their solution includes an auxiliary secure server called “honeychecker” which can distinguish a user’s real password among her honeywords and immediately sets off an alarm whenever a honeyword is used. In this paper, we analyze the security of the proposal, provide some possible improvements which are easy to implement and introduce an enhanced model as a solution to an open problem.

Metadata
Available format(s)
PDF
Publication info
Preprint. MINOR revision.
Keywords
SecurityAuthenticationPasswordHoneywords
Contact author(s)
skardas @ gmail com
History
2013-11-21: revised
2013-10-28: received
See all versions
Short URL
https://ia.cr/2013/696
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/696,
      author = {Ziya Alper Genc and Suleyman Kardas and Mehmet Sabir Kiraz},
      title = {Examination of a New Defense Mechanism: Honeywords},
      howpublished = {Cryptology ePrint Archive, Paper 2013/696},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/696}},
      url = {https://eprint.iacr.org/2013/696}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.