Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults—the only one of which we are aware—actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called NoCrack.
Category / Keywords: applications / Honey Encryption, Password, Password vault, Password managers, PCFG, encoding Original Publication (with major differences): 36th IEEE Symposium on Security and Privacy (Oakland 2015) Date: received 6 Aug 2015 Contact author: rc737 at cornell edu Available format(s): PDF | BibTeX Citation Version: 20150807:141620 (All versions of this report) Short URL: ia.cr/2015/788 Discussion forum: Show discussion | Start new discussion