Cryptology ePrint Archive: Report 2013/696

Examination of a New Defense Mechanism: Honeywords

Ziya Alper Genc, Suleyman Kardas, Mehmet Sabir Kiraz

Abstract: It has become much easier to crack a password hash with the advancements in the graphicalprocessing unit (GPU) technology. An adversary can recover a user’s password using brute-force attack on password hash. Once the password has been recovered no server can detect any illegitimate user authentication (if there is no extra mechanism used). In this context, recently, Juels and Rivest published a paper for improving the security of hashed passwords. Roughly speaking, they propose an approach for user authentication, in which some false passwords, i.e., “honeywords” are added into a password file, in order to detect impersonation. Their solution includes an auxiliary secure server called “honeychecker” which can distinguish a user’s real password among her honeywords and immediately sets off an alarm whenever a honeyword is used. In this paper, we analyze the security of the proposal, provide some possible improvements which are easy to implement and introduce an enhanced model as a solution to an open problem.

Category / Keywords: Security, Authentication, Password, Honeywords

Date: received 25 Oct 2013, last revised 21 Nov 2013

Contact author: skardas at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20131121:172135 (All versions of this report)

Short URL: ia.cr/2013/696

Discussion forum: Show discussion | Start new discussion