Paper 2013/696

Examination of a New Defense Mechanism: Honeywords

Ziya Genc, Süleyman Kardas, and Mehmet Sabir Kiraz

Abstract

It has become much easier to crack a password hash with the advancements in the graphicalprocessing unit (GPU) technology. An adversary can recover a user’s password using brute-force attack on password hash. Once the password has been recovered no server can detect any illegitimate user authentication (if there is no extra mechanism used). In this context, recently, Juels and Rivest published a paper for improving the security of hashed passwords. Roughly speaking, they propose an approach for user authentication, in which some false passwords, i.e., “honeywords” are added into a password file, in order to detect impersonation. Their solution includes an auxiliary secure server called “honeychecker” which can distinguish a user’s real password among her honeywords and immediately sets off an alarm whenever a honeyword is used. In this paper, we analyze the security of the proposal and provide some possible improvements which are easy to implement