Skip to main content

Take-a-tail honeyword generation demonstartion. Python program

Take-a-tale - honeyword generation technique, where a tail is added to the password. A number of passwords with same body, but with different tails are created (Juels and Rivest, 2013).

  
(Author's work)


I have decided to research this technique further and to write a python program that demonstrates how it works and how honeywords are supposed to work in general. The file take_a_tail.py is available for everyone on my google drive: link

I have also written a .bat file which starts a program and writes basic information about it:


User can enter 4 commands:
register - to register a new user in a system
login - to try to log in into the system
attack - prints a list of user with passwords
stop - stops program


First of all we need to register a new user:


After entering a new username and a password, user is asked to add 3 numbers after password. This 3 numbers are a tail. After registration his username and password are contained in memory with additional 5 honeywords - decoy passwords.

If we want to create a user with same username - program will not let us do it:


Let's create another user with the username - david, and password david654:


Now we have to usernames contained alongwith 6 different passwords, 5 from which are decoy passwords - honeywords

If user needs to log in, he needs to enter credentials:


However, let's imagine that adversary got into the host pc and had stolen the file with usernames and passwords. It can be simulated with entering attack command:


Passwords of all users were cracked and adversary now has a list of usernames with 6 possible passwords.

If user tries to log in with incorrect password, which is not one of honeywords, he will not get access and offered to try again:


However, if adversary tries to log in and enters one of the decoy passwords cracked, it triggers alarm:



Conclusion:

Program presented demonstrates how honeywords work and one of the possible honeyword generation techniques - take a tail technique. Moreover, it demonstrates one of the main problems of honeywords - possibility of Ddos attacks, since if adversary gets access to the file with passwords, she can enter them in order to execute security protocols and to put a strain on a targeted system. Nevertheless, this post gives a solid understanding of the idea of honeywords.


Reference:

Juels, A. and Rivest, R.L. (2013) ‘Honeywords: making password-cracking detectable’, in. CCS, Berlin, Germany: ACM, pp. 145–160. Available from: https://dl.acm.org/doi/abs/10.1145/2508859.2516671?casa_token=z0BT8j2R23UAAAAA:rWbGmGVWkVHKWKFF4USMBi0I8uIyQqJtHioVEPnIGUqiPR4nPE-jmn665OBxEUVr3UrzZfDo7isQ#sec-ref.

Comments

  1. Carrie MansfieldDecember 6, 2021 at 6:10 AM

    Good post, nice process shown and discussion.. I like that you are going beyond what is asked for and exploring areas of interest to you that relate to your project theme - as a final post consider reflecting on what you have explored and learned through this research project.

    ReplyDelete

Post a Comment

Popular posts from this blog

Software review: Hashcat

In the following blogpost the way I used software called hashcat in my project is described. The example of using this software for dictionary attack is demonstrated. In my work I used information provided by Tavarez (2020) .   According to Porup (2020) hashcat is one of the most popular password crackers all around the world. Moreover, hashcat is included in the list of basic tools in Kali linux – linux distribution widely used by cybersecurity specialists. I installed Kali linux virtual machine in order to use this program and to show the example of a dictionary attack (Author's screenshot) However, before looking at the examples of using hashcat on practise, it is useful to understand in which areas hashcat is using. In plain words, hashcat is a password guesser which includes a number of features and pre-installed functionalities for cracking passwords by penetrating brute-force and dictionary attacks. The way it works is not too sophisticated, it hashes considerable numbe...
1 comment
Read more

Major project theme

Every person has heard about how important it is to have a well-built strong password. An essential number of people would agree that password hygiene is as important as the personal hygiene is, since violation of first may lead to much more serious consequences. However, the statistics show that 59% of users use their names and dates of birth as their passwords, 43% shared their passwords with other people and only 45% would change a password after a breach (O’Driscoll, 2020). The aim of this post is to show how to create strong passwords. It is necessary to know how passwords are cracked in order to properly understand what password can be referred as strong one. There are to ways to execute an attack: online and offline.  Online attack is done by trying different passwords one by one through a normal log in process. Usually, such attacks are unsuccessful since they are easy to detect and block if necessary (Burnett and Kleiman, 2006).  I think everybody encountered situatio...
2 comments
Read more