Skip to main content

Case study method

 

3.1 Proposed solution


Honeywords are decoy passwords that trigger an alarm system when somebody is trying to log-in using them (Juels and Rivest, 2013). Juels and Rivest (2013) propose the idea of storing a number of password hashes along with the hash of the correct password of each user. The file with logins and passwords without honeywords consists of a login and a hash of one password per user. After implementing honeyword system, the file will contain around 20 passwords per user with one correct password and several honeywords – decoy passwords.


When an adversary somehow gets access to the file with logins and passwords, she needs to crack a much bigger number of passwords in order to get access to the system. However, even if adversary manages to crack all the passwords, there is always a chance that she will enter one of the honeywords that will trigger an alarm.


Without honeywords the actual breach of passwords is considered to remain undetected and there would be no possibility for the maintenance team to take any measures to secure the data.


Honeywords are proposed as the additional layer of defence that provide the possibility to detect the intrusion and puts additional strain on an attacker since decreases the chance to remain undetected.


However, one of the main problems is to generate honeywords that are hard to differentiate from the real passwords. Juel and Rivest (2013) propose a list of methods, such as word tweaking, take-a-tale and using real passwords. Word tweaking means changing the password with keeping its actual structure.

(Author's work)



Take-a-tail means taking the password and forcing a user to add a special tail to the password. Other passwords will have different tail.

(Author's work)


Using real passwords as honeywords is another proposed solution which is based on the assumption that it is hard to differentiate one real password from another.  Erguler (2016) proposes that using existing old passwords stored in a system is a possible solution which can provide necessary level of security and complexity in distinguishing from actual password. However, using old passwords can be considered to be dangerous since there possibly can be accounts on different services where user still uses old passwords.


Another important aspect of using honeyword is the alarm itself. It is necessary to determine the action which an alarm will take when the honeyword is entered. Juels and Rivest (2013) propose several policies such as to let adversary log in, to race the source, to shut down one particular account, to shut down the whole system with the requirement for all users to change passwords. However, if the company implements shutting down policy they will get a new vulnerability along with the increase of security. “Overly sensitive system can turn such honeywords not DDos vulnerability” (Juels and Rivest, 2013). Therefore, one of the most efficient responses to the alarm for companies is to start tracking the user account and shutting it down when suspicious activity is detected.


3.2 Critics and testing


 The honeyword system proposes itself as the new layer of defence against password cracking and demonstrates some interesting ideas such as separating the computer that stores passwords with the computer that processes and checks them.


However, Wang et al. (2017) made a number of experiments and found out that current honeyword generating techniques proposed by Juels and Rivest are inefficient and do not generate passwords which are hard to distinguish from real ones. Results of their research show that advanced trawling-guessing attacker system was able to differentiate honeyword in 34.41 – 49.02% of cases. Moreover, if the attacker possesses personal information about the victim, it lets him to differentiate the real password with the probability of 56.81 – 67.98%


Such statistics show that current honeyword generation techniques are uncapable of automatic generation of hard to differentiate honeywords. If such system is implemented today, it will make its users vulnerable against DDos attacks, since the attacker may trigger alarm intentionally in order to put a strain on some particular service. Moreover, some additional research is needed to estimate the rationality of using additional storage space with intend to increase security level by implementing such a technology


Moreover, Genç (2017) in his work examines the possibility of the attack on the computer which is used to contain honeywords and to process them. This possibility opens a new attack vector and introduces new necessity to secure computer that processes honeywords better, adding some additional layers of security.



Reference:

Erguler, I. (2016) ‘Achieving Flatness: Selecting the Honeywords from Existing User Passwords’, IEEE Transactions on Dependable and Secure Computing, 13(2), pp. 284–295.

Wang, D. et al. (2017) ‘A Security Analysis of Honeywords’, in. NDSS 2018, San Diego, USA: ReaserchGate. Available from: https://www.researchgate.net/publication/320626726_A_Security_Analysis_of_Honeywords.

Juels, A. and Rivest, R.L. (2013) ‘Honeywords: making password-cracking detectable’, in. CCS, Berlin, Germany: ACM, pp. 145–160. Available from: https://dl.acm.org/doi/abs/10.1145/2508859.2516671?casa_token=z0BT8j2R23UAAAAA:rWbGmGVWkVHKWKFF4USMBi0I8uIyQqJtHioVEPnIGUqiPR4nPE-jmn665OBxEUVr3UrzZfDo7isQ#sec-ref.

Genç, Z. A. (2017) ‘Examination of a New Defense Mechanism: Honeywords’, in. IFIP International Conference on Information Security Theory and Practice, Springer, pp. 130–139.


Comments

  1. Carrie MansfieldDecember 3, 2021 at 2:00 AM

    Try to expand and explore others that have either considered this as a form of password protection/creation, and those (like Wang) who have discussed and argued against your chosen case study topic Juels & Rivest. This would be cross referencing and give you greater depth.

    ReplyDelete

Post a Comment

Popular posts from this blog

Software review: Hashcat

In the following blogpost the way I used software called hashcat in my project is described. The example of using this software for dictionary attack is demonstrated. In my work I used information provided by Tavarez (2020) .   According to Porup (2020) hashcat is one of the most popular password crackers all around the world. Moreover, hashcat is included in the list of basic tools in Kali linux – linux distribution widely used by cybersecurity specialists. I installed Kali linux virtual machine in order to use this program and to show the example of a dictionary attack (Author's screenshot) However, before looking at the examples of using hashcat on practise, it is useful to understand in which areas hashcat is using. In plain words, hashcat is a password guesser which includes a number of features and pre-installed functionalities for cracking passwords by penetrating brute-force and dictionary attacks. The way it works is not too sophisticated, it hashes considerable numbe...
1 comment
Read more

Major project theme

Every person has heard about how important it is to have a well-built strong password. An essential number of people would agree that password hygiene is as important as the personal hygiene is, since violation of first may lead to much more serious consequences. However, the statistics show that 59% of users use their names and dates of birth as their passwords, 43% shared their passwords with other people and only 45% would change a password after a breach (O’Driscoll, 2020). The aim of this post is to show how to create strong passwords. It is necessary to know how passwords are cracked in order to properly understand what password can be referred as strong one. There are to ways to execute an attack: online and offline.  Online attack is done by trying different passwords one by one through a normal log in process. Usually, such attacks are unsuccessful since they are easy to detect and block if necessary (Burnett and Kleiman, 2006).  I think everybody encountered situatio...
2 comments
Read more