SlideShare a Scribd company logo

Mtech Seminar Report on Achieving Flatness by Selecting Honeywords from Existing Passwords

S
Sreya Sridhar PP

The document is a seminar report that discusses approaches for generating fake passwords or "honeywords" to detect when a password database has been breached. It summarizes four existing honeyword generation methods: chaffing-by-tweaking, chaffing-with-a-password-model, chaffing with "tough nuts", and a hybrid method. It then proposes a new approach that selects honeywords from existing user passwords in the system in order to reduce storage costs and improve the realism of the honeywords.

Data & Analytics
1 of 30
Download to read offline
Mtech Semiar Report on ACHIEVING FLATNESS: SELECTING THE HONEYWORDS FROM EXISTING USER PASSWORDS Submitted in partial fulfillment for the Award of the Degree of Masters of Technology in Computer Science & Engineering Submitted by SREYA SRIDHAR P P (Candidate Code:11) Under the guidance of Mrs.Ruksana M Yoonus Assistant Professor Department of Computer Science & Engineering Department of Computer Science and Engineering COLLEGE OF ENGINEERING & MANAGEMENT PUNNAPRA KERALA November 2017
CERTIFICATE This is to certify that the thesis entitled “ACHIEVING FLATNESS: SELECTING THE HONEYWORDS FROM EXISTING USER PASSWORDS ” is a bonafide record of the project work done by Sreya Sridhar P P (Candidate Code:11)under my supervision and guidance, in partial fulfillment for the award of Degree of Master of Computer Science and Engineering from the Technical University of Kerala for the year 2017. Mrs Ruksana M Yoonus (Seminar co-ordinator) Assistant Professor Dept.of Computer Science & Engineering Dr.SureshKumar N Assosciate Professor &Head of Department Dept.of Computer Science & Engineering Place:Punnapra Date:09/11/2017 i
Acknowledgement It is a matter of great pleasure for me to submit this seminar report on “ACHIEVING FLATNESS: SELECTING THE HONEYWORDS FROM EXISTING USER PASS- WORDS” as a part of curriculum for the award of Degree of Masters of Technology in Computer Science & Engineering. First and foremost, I wish to place on record my ardent gratitude to my seminar co- ordinator Mrs.Ruksana Myoonus, Assistant Professor, Department of Computer Science & Engineering. Her tutelage and guidance was the leading factor in translating my efforts to fruition. Her prudent and perspective vision has shown light on my trial to triumph. I am extremely happy to mention a great word to DR.SureshKumar N, Head of Depart- ment of CSE for providing me with all facilities for the completion of this work. Finally yet importantly, I would like to express my gratitude to Prof, the principal of my institution for providing me with all the facilities for completion of this work. I would also extend my gratefulness to all the staff members in the Department. I am also thankful to all my friends and well wishers who greatly helped me in my endeavour. SREYA SRIDHAR.P.P 11 i
Abstract Disclosure of password files is a severe security problem that has affected millions of users and companies like Yahoo, RockYou, LinkedIn, eHarmony and Adobe. Leaked passwords make the users target of many possible cyber- attacks. Here a simple but clever idea behind the study is the insertion of false passwords called as honeywords associated with each user’s account. If honeywords are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Hence, when an adversary tries to enter into the system with a honeyword, an alarm is triggered to notify the administrator about a password leakage. At the expense of increasing the storage requirement by 20 times, here introduce a simple and effective solution to the detection of password file disclosure events. In this study, introduce the honeyword system and present some remarks to highlight possible weak points. Also, it suggest an alternative approach that selects the honeywords from ex- isting user passwords in the system in order to provide flat honeyword generation method. It also reduce storage cost of the honeyword scheme II. ii
Contents 1 Introduction 1 2 Problem Identification 3 3 Literature Survey 4 3.1 Chaffing-by-Tweaking 5 3.1.1 Chaffing-by-tweaking-digits 5 3.2 Chaffing-with-a-Password-Model 7 3.2.1 Modeling syntax 7 3.2.2 simplex model 8 3.3 Chaffing with Tough Nuts 8 3.4 Chaffing with Hybrid Method 9 4 Achieving Flatness: Selecting the Honeywords from Existing User Passwords 11 4.1 Initialization 11 4.2 Registration 12 4.3 Honeychecker 13 4.4 Login process 14 5 Security Analysis 15 5.1 DoS Attack 15 5.2 Password Guessing 16 5.3 Brute-Force Attack 17 5.4 Same User in Multiple Systems 17 6 Comparison of Password Generation Models 19 6.1 Storage Cost 20 iii
6.2 DoS Resistance 20 6.3 Flatness 21 6.4 Usability 21 7 Conclusion 22 References 23 iv
List of Figures 1 Password File F1 for the proposed model. 12 2 Password File F2 for the proposed model. 12 v
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 1 1 Introduction Nowadays the Password file disclosure is one of the major security problem that has affected many of users and companies. Passwords are a notoriously weak authentication mechanism. Users frequently choose poor passwords. An adversary who has stolen a file of hashed passwords can often use brute-force search to find a password p whose hash value H(p) equals the hash value stored for a given user’s password, thus allowing the adversary to impersonate the user. These recent events have demonstrated that the weak password storage methods are currently in place on many web sites. For example, the LinkedIn passwords were using the SHA-1 algorithm with out a salt and similarly the passwords in the eHarmony system were also stored using unsalted MD5 hashes [3]. Indeed, once a password file is stolen, by using the password cracking techniques like the algorithm of Weir et al [3]. It is easy to capture most of the plaintext passwords. The security of many computer systems hinges on the secrecy of a single word if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the ‘weakest link’ in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. There are two issues that should be considered to overcome these security problems: First, passwords must be protected by taking appropriate precautions and storing with their hash values computed through salting or some other complex mechanisms. Hence, for an adversary it must be hard to invert hashes to acquire plaintext passwords. The second point is that a secure system should detect whether a password file disclosure incident happened or not to take appropriate actions. In this study, focus on the latter issue and deal with Department of Computer Science And Engineering 1
Achieving Flatness: Selecting the Honeywords from Existing User Passwords fake passwords or accounts as a simple and cost effective solution to detect compromise of passwords. Honeypot is one of the methods to identify occurrence of a password database breach. In this approach, the administrator purposely creates deceit user accounts to lure adversaries and detects a password disclosure, if any one of the honeypot passwords get used [6], [7]. This idea has been modified by Herley and Florencio [6] to protect online banking accounts from password brute-force attacks. According to the study, for each user incorrect login attempts with some passwords lead to honeypot accounts, i.e., malicious behavior is recognized. For instance, there are 108 possibilities for a eight-digit password and let system links 10,000 wrong password to honeypot accounts, so the adversary per- forming the brute- force attack 10,000 times more likely to hit a honeypot account than the genuine account. In this study, analyze the honeyword approach and give some remarks about the se- curity of the system. Furthermore, here point out that the key item for this method is the generation algorithm of the honeywords such that they shall be indistinguishable from the correct passwords. Therefore, here propose a new approach that uses passwords of other users in the system for honeyword sets, i.e., realistic honeywords are provided. Moreover, this technique also reduces the storage cost compared with the honeyword method in [2]. Department of Computer Science And Engineering 2
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 2 2 Problem Identification The honeyword mechanism works simply as follows: For each user ui, the sweetword list Wi, is generated and is stored in the database. Here the storage requirement is very large because each user account is associated with multiple password hashes. And the effectiveness of the honeyword system directly depends on how Gen() flatness is provided and how it is close to human behaviour in choosing passwords. And also this honeyword method is affected by various security issues. In this study, analyse the honeyword ap- proach and give some remarks about the security of the system. Therefore, here propose a new approach that uses passwords of other users in the system for honeyword sets, i.e., realistic honeywords are provided. Moreover, this technique also reduces the storage cost compared with the honeyword method . Department of Computer Science And Engineering 3
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 3 3 Literature Survey This chapter summarize the major works done in earlier times to generate the honey- words for each user accounts. Here categorize the honeyword generation methods into two groups. The first category consists of the legacy-UI (user interface) procedures and the second one includes modified-UI procedures whose password-change UI is modified to allow better password/honeyword generation. Take-a-tail method is given as an example of the second category. According to this approach a randomly selected tail is produced for the user to append this suffix to her entered password and the result becomes her new pass- word. For instance, let a user enter password games01, and then system let propose ’413’ as a tail. So the password of the user now becomes games01413. Although this method strengthens the password, but it is impractical some users even forget the passwords that they determined. Therefore in the remaining parts, the analysis that we conducted is limited with the legacy-UI procedures. In a legacy-UI method, the password-change procedure asks the user for the new pass- word (and perhaps asks her to type it again, for confirmation). The UI does not tell the user about the use of honeywords, nor interact with her to influence her password choice. Here discuss the four methods of honeyword generation [2]. • Chaffing-by-Tweaking • Chaffing-with-a-Password-Model • Chaffing with “Tough Nuts” • Hybrid Method Department of Computer Science And Engineering 4
Achieving Flatness: Selecting the Honeywords from Existing User Passwords 3.1 Chaffing-by-Tweaking In chaffing the password p i is picked, and then the honeyword generation procedure Gen(k, p i ) or “chaff procedure” generates a set of k-1 additional distinct honeywords (“chaff”). Note that the honeywords may depend upon the password p i . The password and the honeywords are placed into a list W i , in random order. The value c(i) is set equal to the index of p i in this list. In the chaffing-by-tweaking, the user password seeds the generator algorithm which tweaks selected character positions of the real password to produce the honeywords. The honeywords are then obtained by tweaking the characters in the selected t positions: each character in a selected position is replaced by a randomly-chosen character of the same type: digits are replaced by digits, letters by letters, and special characters (anything other than a letter of a digit) by special characters. The success of chaffing depends on the quality of the Chaff generator ; the method fails if an adversary can easily distinguish the password from the honeywords. The positions to be tweaked should be chosen solely on the pattern of character types in the password, and not on the specific characters in the password, otherwise the password might be easily determined as the only sweetword capable of giving rise to the given list W i . Following some examples of chaffing by tweaking method. 3.1.1 Chaffing-by-tweaking-digits In this method choosing the last digit position and the last special character position. With “chaffing-by-tweaking-digits” the last t positions containing digits are chosen. (If there are less than t digits in the password, then positions with non-digits could also be selected as needed.) For example, by using the last technique for the password 42hungry and t=2, the honeywords 20hungry and 32hungry may be generated. Many users have the propensity to choose the numbers included in passwords related to a special date, e.g. birthday, an- niversary or an important historical event. For example 3.6 percent of the hacked Adobe Department of Computer Science And Engineering 5
Achieving Flatness: Selecting the Honeywords from Existing User Passwords password hints are related to a date [8]. In the light of this fact, it is highly possible that such a password involves a digit sequence like 19xx, 20xx or xx where xx represents the last two digits of the date. For those passwords by applying the chaffing-by-tweaking-digits method, the date digits will be replaced with the randomly selected digits. Hence an ad- versary who has W i of a user u i may easily identify honeywords and recover the correct password. When examine publicly available leaked passwords hacked from RockYou web- site (approximately 32 million entries) [9], it observe that the passwords of the numerous users include such a pattern, e.g. junexxxx pattern is selected as a password by 1,244 users, where xxxx is a date and starts with 19 or 20. Another example should be the password alex1992 which is seen 47 times in the RockYou password list: Suppose the following honeywords are generated with t= 4 and k = 9 for this password. Note that the digits in the honeywords seem not relevant, but the correct password alex1992 makes sense for an adversary. alex6323 alex9058 alex1992 alex1270 alex0976 alex2785 alex5469 alex8147 alex9705 Many users prefer to append consecutive numbers to their password heads, like ’123’, ’1234’, due to the tendency of users to choose rememberable number patterns. By con- sidering the RockYou leaked password database, realize that about 0:8 percent of all user passwords—excluding the ones in the top 1,000—ends with ’123’ or ’1234’ and begins with letters at least one length. The vulnerability issued with the date patterns described above is also valid in those passwords, i.e., an adversary may distinguish the correct pass- word from the sweetwords by just investigating the end digit patterns. Indeed, the chaffing by tweaking method suffers from these types of passwords, because replacing characters of the same type randomly will give the same hint to an adversary in extracting the cor- rect password. Similar patterns and examples of user habits in digit selections can be ex- Department of Computer Science And Engineering 6
Achieving Flatness: Selecting the Honeywords from Existing User Passwords tended. From a broader perspective, these examples show that users mostly do not choose the digits or letters in passwords randomly, so a randomly replacing technique like this model leads an adversary to make a natural selection. In particular, believe that deploying the “chaffing-by-tweaking” model, it is hard to fulfill aims of the honeyword scheme, i.e., all the adversary needs to do is to have a human sense. 3.2 Chaffing-with-a-Password-Model This method generates honeywords using a probabilistic model of real passwords; this model might be based on a given list L of thousands or millions of passwords and perhaps some other parameters. (Note that generating honeywords solely from a published list L as honeywords is not in general a good idea: such a list may also be available to the adversary, who could use it to help identify honeywords.). Unlike the previous chaffing methods, this method does not necessarily need the password in order to generate the honeywords, and it can generate honeywords of widely varying strength. It consists of mainly two methods 3.2.1 Modeling syntax In this scheme, the password is parsed into a sequence of tokens, each representing a dis- tinct syntactic element or a word, number, or set of special characters. For example, the password, mice3blind Might be decomposed into the token sequence W4—D1—W5, meaning a 4-letter word followed by a 1-digit number and then a 5-letter word. Honeywords are then generated by replacing tokens with randomly selected values that match the tokens. For example, the choice W4 gold, D1 5, W5 rings would yield the honeyword. gold5rings Department of Computer Science And Engineering 7
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Replacements for word tokens are selected from a dictionary provided as input to the generation algorithm. 3.2.2 simplex model Simple model generates honeywords through a password list: First a password list L is built by combining numerous real passwords and random passwords of varying lengths. Then a random word is picked from the list with a length of d. Moreover, with a probability of 0.8 some honeywords are generated as ”tough nuts” which will be explained in the next part. honeyword characters are created by replacing characters of randomly selected words of L in a probabilistic manner Leaked password databases have shown that some passwords have a well-known pattern. For example all of the following passwords are involved in the list of 10,000 most common passwords [10]. bond007 007bond james007 007007 Considering the modeling syntax method, one can conclude that the honeyword sys- tem losses its effectiveness against such passwords, i.e., the correct password has become noticeably recognized by an adversary. In fact, this problem seems an inherent weakness of randomly replacement based honeyword methods. Since character groups or individ- ual characters are replaced by a picked character/characters, the content integrity of such passwords would be broken and the correct password becomes quite salient. 3.3 Chaffing with Tough Nuts In this method, the system intentionally injects some special honeywords, named as tough nuts, such that inverting hash values of those words is computationally infeasible, e.g. fixed length random bit strings should be set as the hash value of a honeyword. An illustrative ex- ample for a tough nut is given in [9] as ’9,50PEe[KV.0?RIOtcL-:IJ”b+Wol !*]! NWT/pb’. Department of Computer Science And Engineering 8
Achieving Flatness: Selecting the Honeywords from Existing User Passwords It is stated that the number and positions of tough nuts are selected ran- domly. By means of this, it is expected that the adversary cannot seize whole sweetword set and some sweet- words will be blank for her, thereby deterring the adversary to realize her attack. In such a situation the adversary may pause before attempting login with cracked passwords. Tough nuts are recommended to be used together with other methods to render the ad- versary’s work more challenging and exhaust the attacker. Nevertheless, it has remained an open question, what is the optimal strategy for an adversary when tough nuts are ex- perienced. from this infer that “tough nuts” method is a double-edgedsword: Numerous unknowns in the password list may discourage an adversary to proceed mounting her at- tack. On the other hand, an adversary may suppose that most of the passwords made up of simple words and digit combinations, not a tough nut. Hence, it is reasonable for this adversary to conduct her classic attack with skipping tough nuts contrarily to authors’ ex- pectations. Note that for this attack strategy, entropy contributed by the honeywords is decreased, because the tough nuts are ignored by the adversary. 3.4 Chaffing with Hybrid Method It is possible to combine the benefits of different honeyword generation strategies by com- posing them into a “hybrid” scheme. Hybrid method is combining the strength of differ- ent honeyword generation methods, e.g. chaffing-with a password-model and chaffing- by-tweaking-digits. By using this technique, random password model will yield seeds for tweaking-digits to generate honeywords. For example let the correct password be ap- ple1903. Then the honeywords angel2562 and happy9137 should be produced as seeds to chaffing-by-tweaking-digits. For t = 3 and k = 4 for each seed, the sweetword table given below may be attained: Here is a simple hybrid scheme: • Use chaffing-with-a-password-model on user-supplied password p to generate a set of a ( 2) seed sweetwords W’, one of which is the password. Some seeds may be “tough nuts.” Department of Computer Science And Engineering 9
Achieving Flatness: Selecting the Honeywords from Existing User Passwords • Apply chaffing-by-tweaking-digits to each seed sweetword in W’ to generate b (( 2) 2) tweaks (including the sweetword itself). This yields a full set W of k = a b sweetwords. • Randomly permute W. Let c(i) be the index of p such that p = w c (i), as usual. Because the hybrid method is legacy-UI, achieves excellent flatness under reasonable assumptions, and provides resistance to DoS attacks, it is recommended honeyword generation method. Department of Computer Science And Engineering 10
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 4 4 Achieving Flatness: Selecting the Honeywords from Existing User Passwords In order to handle the defects of honeyword generation method, a new method of se- lecting the honeywords from existing user passwords are proposed. This for each account k-1 existing password indexes, which we call honeyindexes, are randomly assigned to a newly created account of u i , where k greter than or equal to 2. Moreover, a random index number is given to this account and hash of the correct password is kept with the correct index in a list. In another list u i is stored with an integer set which is consisted of the honeyindexes and the correct index. The tentative password indexes hamper an adversary to make a correct guess and she cannot be easily sure about which index is the correct one. It is equivalent to say that to create uncertainty about the correct password, propose to use indexes that map to valid passwords in the system. This involves different steps as follows. 4.1 Initialization First, T fake user accounts (honeypots) are created with their passwords. Also an index value between [1, N], but not used previously is assigned to each honeypot randomly. Then k-1 numbers are randomly selected from the index list and for each account a honeyindex set is built like X i =(xi,1,xi,2, . . . x,i,k) one of the elements in Xi is the correct index (sugarindex) as ci. Now, use two password files as F1 and F2 in the main server: F1 stores username and honeyindex set, (h u i, X i ) pairs as shown. Where h u i denotes a honeypot account. Here each entry has two elements. The first one is the username of the account and the second element is honeyindex set for the respective account. F2 keeps the index number and the corresponding hash of the password,(ci, H(pi) ), as depicted. Let SI Department of Computer Science And Engineering 11
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Figure 1: Password File F1 for the proposed model. Figure 2: Password File F2 for the proposed model. denote the index column and SH represent the corresponding password hash column of F2 . Then the function f(ci) that gives password hash value in SH for the index value ci can be defined as: f (ci) = H(pi)SH less than ci, H(pi) greater than stored pair of ui and ci SI. 4.2 Registration After the initialization process, system is ready for user registration. In this phase, a legacy- UI is preferred, i.e., a username and password are required from the user as ui , pi to register the system. here use the honeyindex generator algorithm Gen(k,SI) ci ,Xi , which outputs ci as the correct index for ui and the honeyindexes Xi =(xi,1,xi,2, . . . x,i,k). Gen(k, SI )produces Xi by randomly selecting k- 1 numbers from SI and also randomly picking a number ci .SI. so ci becomes one of the elements of Xi . One can see the generator Department of Computer Science And Engineering 12
Achieving Flatness: Selecting the Honeywords from Existing User Passwords algorithm Gen(k, SI) is different from the procedure described in the previous method, since it outputs an array of integers rather than a group of honeywords. Last, periodically honeyindexes of each account should be regenerated. Periodically honeyindexes of each account should be regenerated. As the number of users in the system increases to provide uniform distribution of honeyindexes across SI , fresh honeyindex set must involve numbers from this new larger list. Otherwise, passwords of newly created accounts would not be used as honeywords in the system and it may give a clue to the adversary to in guessing the correct password of these new accounts. Note that within a uniform distribution each password is assigned as a honeyword about k times, because there are N passwords but Nk honeywords are needed. 4.3 Honeychecker The system may utilize an auxiliary secure server called the honeychecker” to assist with the use of the honeywords. Since we are assuming that the computer system is vulnerable to having the file F of password hashes stolen, one must also assume that salts and other hashing parameters can also be stolen. Thus, there is likely no place on the computer system where one can safely store additional secret information with which to defeat the adversary. The honeychecker is thus a separate hardened computer system where such secret information can be stored. assume that the computer system can com- municate with the honeychecker when a login attempt is made on the computer system or when a user changes her pass word. Assume that this communication is over dedicated lines and/or encrypted and authenticated. The honeychecker should have extensive in- strumentation to detect anomalies of various sorts. The auxiliary service honeychecker is employed to store correct indexes for each account and assume that it communicates with the main server through a secure channel in an authenticated manner. The role and primary process of the honeychecker is ensure security. It is a hardened computer system where such secret Department of Computer Science And Engineering 13
Achieving Flatness: Selecting the Honeywords from Existing User Passwords information can be stored. , except that ( i, c i )pair is replaced with ( u i , c i )pair in our case. The honeychecker executes two commands sent by the main server: Set: c i ,u i Sets correct password index c i for the user u i Check: u i , j Checks whether u i for u i is equal to given j Returns the result and if equality does not hold, notifies system a honeyword situation. Depending on the policy chosen, the honeychecker may or may not reply to the com- puter system when a login is attempted. When it detects that something is a miss with the login attempt, it could signal to the computer system that login should be denied. On the other hand it may merely signal a silent alarm to an administrator, and let the login on the computer system proceed. In the latter case, call the honeychecker a login monitor rather than a honeychecker. 4.4 Login process System first checks whether entered password, g, is correct for the corresponding user- name u i .To accomplish this, first the Xi of the corresponding u i is attained from the F1 file. Then, the hash values stored in F2 file for the respective indices in Xi are compared with H(g) to find a match. If a match is not obtained, then it means that g is neither the correct password, nor one of the honeywords, i.e., login fails. On the other hand, if H(g) is found in the list, then the main server checks whether the account is a honeypot. If it is a honeypot, then it follows a predefined security policy against the password disclosure scenario. Honeychecker controls whether j= c i and returns the result to the main server. At the same time, if it is not equal, then it assured that the proffered password is a honeyword and adequate actions should be taken depending on the policy. Department of Computer Science And Engineering 14
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 5 5 Security Analysis Here discuss the security of the proposed model against some possible attack scenarios. Suppose that the adversary can invert most or many of the password hashes in file F2. It leads to the Introduction of a DoS attack sensitivity. In which an adversary deliberately tries to login with honeywords to trigger a false alarm. Hence, the suggested policies given below mostly focuses on minimizing the DoS vulnerabilities. • When a user logins with a wrong password , If this wrong password is the password of another account in the system and the same user hits this situation more than once the system should turn on additional logging of the user’s activities to detect a possible DoS attack and to attribute the adversary, besides the incorrect login attempt case proceeds as usual. • If a password, whose hash value is in the SH of the F2, is entered in wrong login attempts for more than once, the system should take actions against a possible DoS alarm. • In order to increase the number of unique passwords in the system, i.e., reduce common passwords, users should be forced to adhere to a password-composition policy like basic8 (eight or more characters), in the password creation .The main reason behind this item is to minimize the number of common passwords in the system. • A username should not be correlated with its password. • To avoid occurrence of a high number of common passwords in the system. 5.1 DoS Attack Under this attack scenario the adversary does not have the password files and their contents. Her main purpose is to trigger a false alarm and to raise a honeyword alarm situation, i.e., Department of Computer Science And Engineering 15
Achieving Flatness: Selecting the Honeywords from Existing User Passwords depending on the policy some or all parts of the system may be out of service or disabled unnecessarily. Suppose that the adversary has knowledge m +1 username and respective passwords in the system. Method for attacking the system is creating m accounts with the same password as pz, while a single account, u y , has different password like py and entering the system with the username uy and the password pz. If pz is assigned by the system as a honeyword, then the adversary mounts a DoS attack by entering with the system ( u y , p z ) pair LetP r(p z W y ) the probability that P z is assigned as one of the honeywords for u y it is also the success probability of the adversary for this attack. Since there are N-m passwords different from p 1 z and k honeywords are assigned to each account. When a password in the system is entered incorrectly by the same username or different usernames for more than once, the system suspects about a DoS attack and a DoS alarm should be triggered depending on the next activities of the user. Hence, the adversary cannot increase her chance by making more trials for the same known password p z without being noticed by the system. 5.2 Password Guessing In this attack, assume that the adversary has plundered password files F1 and F2 from the main server and also obtained plaintext passwords by inverting the hash values. Extracted F2 file (after inverting hashes) gives ( indexnumber; password ) pairs to the adversary, but they are not directly connected to a specific username. By just analyzing this, she cannot exactly determine which password belongs to which user. If the adversary randomly picks an account from the list in F1 and then tries to login with a guessed password, then her suc- cess will depend on: First, the selected account is not a honeypot account. Second guessing the correct password pi out of k sweetwords. Otherwise, the adversary will be caught by the system due to a honeyword or a honeyspot. Let Pr(success) represent the probability that the adversary makes a correct guess for a randomly picked username. Below, express Department of Computer Science And Engineering 16
Achieving Flatness: Selecting the Honeywords from Existing User Passwords the probability that the adversary, who makes random trials, is not detected by the system, suppose the number of honeypots in the system is T: equation given as The attacker picks password pi with 5 percent probability. Conversely, the adversary will caught by the system in password guessing attack with a chance of 95 percent, as long as the password does not carry any information about the username. 5.3 Brute-Force Attack A honeypot account is attempted then system follows a strong policy e.g. demanding all users to renew their passwords. From binomial distribution the probability that the adver- sary hits at least one honeypot in her trials is P r(hit greter than 1) = 1 - (N - T /N ). Even in this case our approach provides resistance against such an attack, because for T =1000, N =1000000 values this probability tends to 0:5. It is equivalent to say that in brute-force guess attack, it is likely that the adversary hits a honeypot and system detects the password disclosure situation. 5.4 Same User in Multiple Systems The attack scenarios such that a user reuse passwords on two different systems as A and B are investigated. In [2], the attack scenarios such that a user reuse passwords on two different systems as A and B are investigated. For example suppose A uses honeywords and B has prevalent password storage techniques and a target user ui shares her password across these two systems. In this case, if an adversary compromises B, it is apparent that honeywords assigned for this user in A contributes nothing at all. Conversely, if the adver- sary pilfers passwords from A, she can try all sweetwords of the common user u i in A to verify which is the correct password by submitting to B. If a honeyword is entered to B, it results in an incorrect password screen, while the adversary successfully logins in case of the correct password. Department of Computer Science And Engineering 17
Achieving Flatness: Selecting the Honeywords from Existing User Passwords This model is also vulnerable these scenarios: Indeed, if the password is not same but cor- related for a user in two distinct domains, then first scenario may be still valid. For example a user has password bond007 in B which does not use honeywords. On the other side same user has password james007 in domain A which assigns honeywords to these user. Then it is highly possible that an adversary extracts the correct password from the sweetwords, if she has knowledge of bond007. So, both of the original method and our approach cannot provide resistance against such conditions, as long as users select same or highly correlated passwords in different domains. Department of Computer Science And Engineering 18
Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 6 6 Comparison of Password Generation Models In this section, detail a comparison of the generation methods including the new model with respect to storage cost, DoS resistance and flatness of each algorithm. In a tradi- tional password based system with a number of N users, an adversary may have at most N user/password pairs through a cracking process. Suppose that all cryptographic efforts in recovering a plain text word from the respective hash string stored in password hash file is represented as a single hash inversion operation. Then, by considering the traditional sys- tem, for each user the attacker has to perform one hash inversion operation, while for the whole system N operations must be executed. According to the Juels and Rivest’s method [2] she needs to launch k operations for a specific user and kN operations for the whole space, since for each user k sweetwords are assigned. Thus, one can see that the adversary has to spend k times more effort for each case in this method. Now, archiving flatness, if the attacker focuses on a specific user, she must still try k hash inversions to reveal all possible passwords for this target user. However, since each honeyword is indeed password of another user, revealing all passwords in the system requires N operations as in the case of the traditional system. Therefore, taking the total password-cracking cost of the adver- sary for the whole system into account, thus say that Juels and Rivest’s model requires higher effort for an attacker in retrieving plaintext passwords. Notice that, this feature of our model at worst reduces total hash inversion work to it was at the traditional model. This paper discusses what can be done in terms of detecting the password disclosure, when the whole plain text forms of the passwords are available to an adversary, rather than dealing with making the adversary’s work harder in getting plain text passwords. Department of Computer Science And Engineering 19
Achieving Flatness: Selecting the Honeywords from Existing User Passwords 6.1 Storage Cost A typical password file system requires hN plus storage for usernames, where N stands for the number of users in the system and h denotes length of password hash in bytes. On the other hand this is khN for , where k denotes the number of the sweetwords assigned to each account. Notice that here ignored the storage cost stemmed from usernames, since it is not changed after adaptation of the honeywords what can be done in terms of detecting the password disclosure, when the whole plaintext forms of the passwords are available to an adversary. For this approach assume that each index requires 4 bytes and the storage cost becomes, 4kN + hN + 4N. To measure the gain in storage compared to original method, give the ratio as: (4kN + hN + 4N)/khN 6.2 DoS Resistance Probability of a common password is assigned as a honeyword for a specific user will be negligibly low.use of real passwords as honeywords does not cause a DoS weakness. This proposed scheme uses password list in the system as honeywords of a user. However as the adaptation of a strong password composition policy likely prevents occurrence of com- mon passwords in high numbers, i.e., probability of a common password is assigned as a honeyword for a specific user will be negligibly low. Although, an adversary may hit a real password using a common password in the system, it is not necessarily a honeyword for the corresponding account. Thus, use of real passwords as honeywords does not cause a DoS weakness. Last but not least issue is that in achiving flatness in addition to honeywords, honeypots are employed to detect a password disclosure. This facilitates showing a strong response to actions of an adversary, because entering a honeypot account with one of its Department of Computer Science And Engineering 20
Achieving Flatness: Selecting the Honeywords from Existing User Passwords sweetwords ensures occurrence of a password leakage. 6.3 Flatness For the proposed model as described previously passwords of other users become honey- words for a user. Hence, this model satisfies perfect flatness as long as the correct password is not correlated with username as pointed in previously. And investigation of a target user profile (age, gender, religion etc.) gives no advantage to an adversary in password guess- ing. Comparing our method with the simple model, one can see that our method is better than the latter in terms of flatness: The honeywords in the former carry all characteristics of the real passwords in the same system, while the simple model generates honeywords artificially despite using real passwords of different list. For example, it is well known that users choose segregate their passwords for more- secure and low-secure sites , it is presented that reuse rate of weaker passwords is higher than those of stronger passwords, since the stronger ones are usually created for higher- security sites e.g. banking accounts. Consequently, a password list from a lower-security site password list which is used in the simple model for a higher-security site may not be natural. 6.4 Usability In this part, compare the proposed approach with the simple model in terms of practicality and ease of use. By considering the simple model whose password list is constructed with composition of numerous real passwords and randomly generated passwords, one can argue about how the real password source is provided. If the same resource of real passwords is used in different sites, similar inherited weaknesses related to honeyword generation may be observed. Nonetheless, if use of publicly available password lists is forbidden , then it will not be easy to get required large number of real passwords. Conversely, proposed approach does not need to use an external real password resource in honeyword generation. Department of Computer Science And Engineering 21
Achieving Flatness: Selecting the Honeywords from Existing User Passwords 7 Conclusion In conclusion, In this study, analyzed the security of the honeyword system and ad- dressed a number of flaws that need to be handled before successful realization of the scheme. In this respect, point out the strength of the honeyword system directly depends on the generation algorithm, i.e., flatness of the generator algorithm determines the chance of distinguishing the correct password out of respective sweetwords. Another point that would like to stress is that defined reaction policies in case of a honeyword entrance can be exploited by an adversary to realize a DoS attack. This will be a serious threat if the chance of an adversary in hitting a honey-word given the respective password is not negligible. To combat such a problem, also known as DoS resistance, low probability of such an event must be guaranteed. This can be achieved by employing unpredictable honeywords or altering system policy to minimize this risk. Hence, noted that the security policy should strike a balance between DoS vulnerability and effectiveness of honeywords This model satisfies perfect flatness as long as the correct password is not correlated with username as pointed in previously. The honeywords in the former carry all char- acteristics of the real passwords in the same system, while the simple model generates honeywords artificially despite using real passwords of different list. If the same resource of real passwords is used in different sites, similar inherited weaknesses related to honey- word generation may be observed. proposed approach does not need to use an external real password resource in honeyword generation, rather it just feeds itself. From the anal- ysis the proposed method will claim that this approach is simpler and more practical for implementation. Department of Computer Science And Engineering 22
References [1] Erguler, ” Achieving Flatness : Selecting the Honeywords from Existing User Pass- words ,” in Proc. IEEE Transactions on Dependable And Secure Computing , 2016, Vol. 13, No. 2. [2] A. Juels and R. L. Rivest, “Honeywords: Making password cracking detectable,” in Proc. ACM SIGSAC Conf. Computer Communication. Security, 2013, pp. 145–160. Comput. Linguistics. , vol. 35, no. 3, pp. 399-433, 2009.Department of Computer Sci- ence, University of Arizona: Tucson, AZ, USA, 1994. [3] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh, “Kamouflage: Loss resistant pass- word management,” in Proc. 15th Eur. Conf. Res. Computer Security, 2010, pp. 286–302. [4] F. Cohen, “The use of deception techniques: Honeypots and decoys,” Handbook In- form. Security, vol. 3, pp. 646–655, 2006. 23

Recommended

Honeywords
HoneywordsHoneywords
HoneywordsSreya Sridhar PP
 
IRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET Journal
 
Unlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityUnlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityIJCSEA Journal
 
Final report
Final reportFinal report
Final reportRahul Sihag
 
IRJET- Carp a Graphical Password: Enhancing Security using AI
IRJET- Carp a Graphical Password: Enhancing Security using AIIRJET- Carp a Graphical Password: Enhancing Security using AI
IRJET- Carp a Graphical Password: Enhancing Security using AIIRJET Journal
 
I Forgot Your Password: Breaking Modern Password Recovery Systems
I Forgot Your Password: Breaking Modern Password Recovery SystemsI Forgot Your Password: Breaking Modern Password Recovery Systems
I Forgot Your Password: Breaking Modern Password Recovery SystemsPriyanka Aash
 
Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...
Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...
Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...IRJET Journal
 
A Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsA Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsIRJET Journal
 

Recommended

Honeywords
HoneywordsHoneywords
HoneywordsSreya Sridhar PP
 
IRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET Journal
 
Unlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityUnlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityIJCSEA Journal
 
Final report
Final reportFinal report
Final reportRahul Sihag
 
IRJET- Carp a Graphical Password: Enhancing Security using AI
IRJET- Carp a Graphical Password: Enhancing Security using AIIRJET- Carp a Graphical Password: Enhancing Security using AI
IRJET- Carp a Graphical Password: Enhancing Security using AIIRJET Journal
 
I Forgot Your Password: Breaking Modern Password Recovery Systems
I Forgot Your Password: Breaking Modern Password Recovery SystemsI Forgot Your Password: Breaking Modern Password Recovery Systems
I Forgot Your Password: Breaking Modern Password Recovery SystemsPriyanka Aash
 
Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...
Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...
Securing Messages from Brute Force Attack by Combined Approach of Honey Encry...IRJET Journal
 
A Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsA Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsIRJET Journal
 
Mobile Email Security
Mobile Email SecurityMobile Email Security
Mobile Email SecurityRahul Sihag
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
 
Captcha as Graphical Password- CaRP
Captcha as Graphical Password- CaRPCaptcha as Graphical Password- CaRP
Captcha as Graphical Password- CaRPjadhav.vrushali90
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
Information Security
Information SecurityInformation Security
Information SecurityPresentaionslive.blogspot.com
 
Ijcnc050205
Ijcnc050205Ijcnc050205
Ijcnc050205IJCNCJournal
 
New era of authentication
New era of authenticationNew era of authentication
New era of authenticationsunil kumar
 
Authentication framework using visual cryptography
Authentication framework using visual cryptographyAuthentication framework using visual cryptography
Authentication framework using visual cryptographyeSAT Publishing House
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10Al Imam University
 
CARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASCARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASInternational Journal of Technical Research & Application
 
Detection andprevention of fake access point using sensor nodes
Detection andprevention of fake access point using sensor nodesDetection andprevention of fake access point using sensor nodes
Detection andprevention of fake access point using sensor nodeseSAT Publishing House
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationSunil Paudel
 
A new approach “ring” for restricting web pages from script access
A new approach “ring” for restricting web pages from script accessA new approach “ring” for restricting web pages from script access
A new approach “ring” for restricting web pages from script accesseSAT Journals
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...eSAT Journals
 
7317ijcis01
7317ijcis017317ijcis01
7317ijcis01ijcisjournal
 
A new approach “ring” for restricting web pages from
A new approach “ring” for restricting web pages fromA new approach “ring” for restricting web pages from
A new approach “ring” for restricting web pages fromeSAT Publishing House
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET Journal
 
Honeywords for Password Security and Management
Honeywords for Password Security and ManagementHoneywords for Password Security and Management
Honeywords for Password Security and ManagementIRJET Journal
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 

More Related Content

What's hot

Mobile Email Security
Mobile Email SecurityMobile Email Security
Mobile Email SecurityRahul Sihag
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
 
Captcha as Graphical Password- CaRP
Captcha as Graphical Password- CaRPCaptcha as Graphical Password- CaRP
Captcha as Graphical Password- CaRPjadhav.vrushali90
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
New era of authentication
New era of authenticationNew era of authentication
New era of authenticationsunil kumar
 
Authentication framework using visual cryptography
Authentication framework using visual cryptographyAuthentication framework using visual cryptography
Authentication framework using visual cryptographyeSAT Publishing House
 
Detection andprevention of fake access point using sensor nodes
Detection andprevention of fake access point using sensor nodesDetection andprevention of fake access point using sensor nodes
Detection andprevention of fake access point using sensor nodeseSAT Publishing House
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationSunil Paudel
 
A new approach “ring” for restricting web pages from script access
A new approach “ring” for restricting web pages from script accessA new approach “ring” for restricting web pages from script access
A new approach “ring” for restricting web pages from script accesseSAT Journals
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...eSAT Journals
 
A new approach “ring” for restricting web pages from
A new approach “ring” for restricting web pages fromA new approach “ring” for restricting web pages from
A new approach “ring” for restricting web pages fromeSAT Publishing House
 

What's hot (19)

Mobile Email Security
Mobile Email SecurityMobile Email Security
Mobile Email Security
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed Cryptography
 
Captcha as Graphical Password- CaRP
Captcha as Graphical Password- CaRPCaptcha as Graphical Password- CaRP
Captcha as Graphical Password- CaRP
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Information Security
Information SecurityInformation Security
Information Security
 
Ijcnc050205
Ijcnc050205Ijcnc050205
Ijcnc050205
 
New era of authentication
New era of authenticationNew era of authentication
New era of authentication
 
Authentication framework using visual cryptography
Authentication framework using visual cryptographyAuthentication framework using visual cryptography
Authentication framework using visual cryptography
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10
 
CARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASCARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PAS
 
Detection andprevention of fake access point using sensor nodes
Detection andprevention of fake access point using sensor nodesDetection andprevention of fake access point using sensor nodes
Detection andprevention of fake access point using sensor nodes
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
 
A new approach “ring” for restricting web pages from script access
A new approach “ring” for restricting web pages from script accessA new approach “ring” for restricting web pages from script access
A new approach “ring” for restricting web pages from script access
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
 
7317ijcis01
7317ijcis017317ijcis01
7317ijcis01
 
A new approach “ring” for restricting web pages from
A new approach “ring” for restricting web pages fromA new approach “ring” for restricting web pages from
A new approach “ring” for restricting web pages from
 

Similar to Mtech Seminar Report on Achieving Flatness by Selecting Honeywords from Existing Passwords

IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET Journal
 
Honeywords for Password Security and Management
Honeywords for Password Security and ManagementHoneywords for Password Security and Management
Honeywords for Password Security and ManagementIRJET Journal
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...IJCNCJournal
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...ijistjournal
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyacijjournal
 
Effectiveness of various user authentication techniques
Effectiveness of various user authentication techniquesEffectiveness of various user authentication techniques
Effectiveness of various user authentication techniquesIAEME Publication
 
Achieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsAchieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsKamal Spring
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password AuthenticationIRJET Journal
 
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...IRJET Journal
 
Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...IJNSA Journal
 
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...ADEIJ Journal
 
Multilevel Security and Authentication System
Multilevel Security and Authentication SystemMultilevel Security and Authentication System
Multilevel Security and Authentication Systempaperpublications3
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphicalKamal Spring
 

Similar to Mtech Seminar Report on Achieving Flatness by Selecting Honeywords from Existing Passwords (20)

IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
 
Honeywords for Password Security and Management
Honeywords for Password Security and ManagementHoneywords for Password Security and Management
Honeywords for Password Security and Management
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
 
C0210014017
C0210014017C0210014017
C0210014017
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison study
 
Effectiveness of various user authentication techniques
Effectiveness of various user authentication techniquesEffectiveness of various user authentication techniques
Effectiveness of various user authentication techniques
 
Achieving flatness selecting the honeywords
Achieving flatness selecting the honeywordsAchieving flatness selecting the honeywords
Achieving flatness selecting the honeywords
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password Authentication
 
Ijsrdv8 i10355
Ijsrdv8 i10355Ijsrdv8 i10355
Ijsrdv8 i10355
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
 
Ko3618101814
Ko3618101814Ko3618101814
Ko3618101814
 
Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...Investigating the Combination of Text and Graphical Passwords for a more secu...
Investigating the Combination of Text and Graphical Passwords for a more secu...
 
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...
 
Multilevel Security and Authentication System
Multilevel Security and Authentication SystemMultilevel Security and Authentication System
Multilevel Security and Authentication System
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphical
 

Recently uploaded

Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceSapana Sha
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...Suhani Kapoor
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxFurkanTasci3
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationBoston Institute of Analytics
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 

Recently uploaded (20)

Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts Service
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptx
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health Classification
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docx
 

Mtech Seminar Report on Achieving Flatness by Selecting Honeywords from Existing Passwords

  • 1. Mtech Semiar Report on ACHIEVING FLATNESS: SELECTING THE HONEYWORDS FROM EXISTING USER PASSWORDS Submitted in partial fulfillment for the Award of the Degree of Masters of Technology in Computer Science & Engineering Submitted by SREYA SRIDHAR P P (Candidate Code:11) Under the guidance of Mrs.Ruksana M Yoonus Assistant Professor Department of Computer Science & Engineering Department of Computer Science and Engineering COLLEGE OF ENGINEERING & MANAGEMENT PUNNAPRA KERALA November 2017
  • 2. CERTIFICATE This is to certify that the thesis entitled “ACHIEVING FLATNESS: SELECTING THE HONEYWORDS FROM EXISTING USER PASSWORDS ” is a bonafide record of the project work done by Sreya Sridhar P P (Candidate Code:11)under my supervision and guidance, in partial fulfillment for the award of Degree of Master of Computer Science and Engineering from the Technical University of Kerala for the year 2017. Mrs Ruksana M Yoonus (Seminar co-ordinator) Assistant Professor Dept.of Computer Science & Engineering Dr.SureshKumar N Assosciate Professor &Head of Department Dept.of Computer Science & Engineering Place:Punnapra Date:09/11/2017 i
  • 3. Acknowledgement It is a matter of great pleasure for me to submit this seminar report on “ACHIEVING FLATNESS: SELECTING THE HONEYWORDS FROM EXISTING USER PASS- WORDS” as a part of curriculum for the award of Degree of Masters of Technology in Computer Science & Engineering. First and foremost, I wish to place on record my ardent gratitude to my seminar co- ordinator Mrs.Ruksana Myoonus, Assistant Professor, Department of Computer Science & Engineering. Her tutelage and guidance was the leading factor in translating my efforts to fruition. Her prudent and perspective vision has shown light on my trial to triumph. I am extremely happy to mention a great word to DR.SureshKumar N, Head of Depart- ment of CSE for providing me with all facilities for the completion of this work. Finally yet importantly, I would like to express my gratitude to Prof, the principal of my institution for providing me with all the facilities for completion of this work. I would also extend my gratefulness to all the staff members in the Department. I am also thankful to all my friends and well wishers who greatly helped me in my endeavour. SREYA SRIDHAR.P.P 11 i
  • 4. Abstract Disclosure of password files is a severe security problem that has affected millions of users and companies like Yahoo, RockYou, LinkedIn, eHarmony and Adobe. Leaked passwords make the users target of many possible cyber- attacks. Here a simple but clever idea behind the study is the insertion of false passwords called as honeywords associated with each user’s account. If honeywords are selected properly, a cyber-attacker who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Hence, when an adversary tries to enter into the system with a honeyword, an alarm is triggered to notify the administrator about a password leakage. At the expense of increasing the storage requirement by 20 times, here introduce a simple and effective solution to the detection of password file disclosure events. In this study, introduce the honeyword system and present some remarks to highlight possible weak points. Also, it suggest an alternative approach that selects the honeywords from ex- isting user passwords in the system in order to provide flat honeyword generation method. It also reduce storage cost of the honeyword scheme II. ii
  • 5. Contents 1 Introduction 1 2 Problem Identification 3 3 Literature Survey 4 3.1 Chaffing-by-Tweaking 5 3.1.1 Chaffing-by-tweaking-digits 5 3.2 Chaffing-with-a-Password-Model 7 3.2.1 Modeling syntax 7 3.2.2 simplex model 8 3.3 Chaffing with Tough Nuts 8 3.4 Chaffing with Hybrid Method 9 4 Achieving Flatness: Selecting the Honeywords from Existing User Passwords 11 4.1 Initialization 11 4.2 Registration 12 4.3 Honeychecker 13 4.4 Login process 14 5 Security Analysis 15 5.1 DoS Attack 15 5.2 Password Guessing 16 5.3 Brute-Force Attack 17 5.4 Same User in Multiple Systems 17 6 Comparison of Password Generation Models 19 6.1 Storage Cost 20 iii
  • 6. 6.2 DoS Resistance 20 6.3 Flatness 21 6.4 Usability 21 7 Conclusion 22 References 23 iv
  • 7. List of Figures 1 Password File F1 for the proposed model. 12 2 Password File F2 for the proposed model. 12 v
  • 8. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 1 1 Introduction Nowadays the Password file disclosure is one of the major security problem that has affected many of users and companies. Passwords are a notoriously weak authentication mechanism. Users frequently choose poor passwords. An adversary who has stolen a file of hashed passwords can often use brute-force search to find a password p whose hash value H(p) equals the hash value stored for a given user’s password, thus allowing the adversary to impersonate the user. These recent events have demonstrated that the weak password storage methods are currently in place on many web sites. For example, the LinkedIn passwords were using the SHA-1 algorithm with out a salt and similarly the passwords in the eHarmony system were also stored using unsalted MD5 hashes [3]. Indeed, once a password file is stolen, by using the password cracking techniques like the algorithm of Weir et al [3]. It is easy to capture most of the plaintext passwords. The security of many computer systems hinges on the secrecy of a single word if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the ‘weakest link’ in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. There are two issues that should be considered to overcome these security problems: First, passwords must be protected by taking appropriate precautions and storing with their hash values computed through salting or some other complex mechanisms. Hence, for an adversary it must be hard to invert hashes to acquire plaintext passwords. The second point is that a secure system should detect whether a password file disclosure incident happened or not to take appropriate actions. In this study, focus on the latter issue and deal with Department of Computer Science And Engineering 1
  • 9. Achieving Flatness: Selecting the Honeywords from Existing User Passwords fake passwords or accounts as a simple and cost effective solution to detect compromise of passwords. Honeypot is one of the methods to identify occurrence of a password database breach. In this approach, the administrator purposely creates deceit user accounts to lure adversaries and detects a password disclosure, if any one of the honeypot passwords get used [6], [7]. This idea has been modified by Herley and Florencio [6] to protect online banking accounts from password brute-force attacks. According to the study, for each user incorrect login attempts with some passwords lead to honeypot accounts, i.e., malicious behavior is recognized. For instance, there are 108 possibilities for a eight-digit password and let system links 10,000 wrong password to honeypot accounts, so the adversary per- forming the brute- force attack 10,000 times more likely to hit a honeypot account than the genuine account. In this study, analyze the honeyword approach and give some remarks about the se- curity of the system. Furthermore, here point out that the key item for this method is the generation algorithm of the honeywords such that they shall be indistinguishable from the correct passwords. Therefore, here propose a new approach that uses passwords of other users in the system for honeyword sets, i.e., realistic honeywords are provided. Moreover, this technique also reduces the storage cost compared with the honeyword method in [2]. Department of Computer Science And Engineering 2
  • 10. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 2 2 Problem Identification The honeyword mechanism works simply as follows: For each user ui, the sweetword list Wi, is generated and is stored in the database. Here the storage requirement is very large because each user account is associated with multiple password hashes. And the effectiveness of the honeyword system directly depends on how Gen() flatness is provided and how it is close to human behaviour in choosing passwords. And also this honeyword method is affected by various security issues. In this study, analyse the honeyword ap- proach and give some remarks about the security of the system. Therefore, here propose a new approach that uses passwords of other users in the system for honeyword sets, i.e., realistic honeywords are provided. Moreover, this technique also reduces the storage cost compared with the honeyword method . Department of Computer Science And Engineering 3
  • 11. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 3 3 Literature Survey This chapter summarize the major works done in earlier times to generate the honey- words for each user accounts. Here categorize the honeyword generation methods into two groups. The first category consists of the legacy-UI (user interface) procedures and the second one includes modified-UI procedures whose password-change UI is modified to allow better password/honeyword generation. Take-a-tail method is given as an example of the second category. According to this approach a randomly selected tail is produced for the user to append this suffix to her entered password and the result becomes her new pass- word. For instance, let a user enter password games01, and then system let propose ’413’ as a tail. So the password of the user now becomes games01413. Although this method strengthens the password, but it is impractical some users even forget the passwords that they determined. Therefore in the remaining parts, the analysis that we conducted is limited with the legacy-UI procedures. In a legacy-UI method, the password-change procedure asks the user for the new pass- word (and perhaps asks her to type it again, for confirmation). The UI does not tell the user about the use of honeywords, nor interact with her to influence her password choice. Here discuss the four methods of honeyword generation [2]. • Chaffing-by-Tweaking • Chaffing-with-a-Password-Model • Chaffing with “Tough Nuts” • Hybrid Method Department of Computer Science And Engineering 4
  • 12. Achieving Flatness: Selecting the Honeywords from Existing User Passwords 3.1 Chaffing-by-Tweaking In chaffing the password p i is picked, and then the honeyword generation procedure Gen(k, p i ) or “chaff procedure” generates a set of k-1 additional distinct honeywords (“chaff”). Note that the honeywords may depend upon the password p i . The password and the honeywords are placed into a list W i , in random order. The value c(i) is set equal to the index of p i in this list. In the chaffing-by-tweaking, the user password seeds the generator algorithm which tweaks selected character positions of the real password to produce the honeywords. The honeywords are then obtained by tweaking the characters in the selected t positions: each character in a selected position is replaced by a randomly-chosen character of the same type: digits are replaced by digits, letters by letters, and special characters (anything other than a letter of a digit) by special characters. The success of chaffing depends on the quality of the Chaff generator ; the method fails if an adversary can easily distinguish the password from the honeywords. The positions to be tweaked should be chosen solely on the pattern of character types in the password, and not on the specific characters in the password, otherwise the password might be easily determined as the only sweetword capable of giving rise to the given list W i . Following some examples of chaffing by tweaking method. 3.1.1 Chaffing-by-tweaking-digits In this method choosing the last digit position and the last special character position. With “chaffing-by-tweaking-digits” the last t positions containing digits are chosen. (If there are less than t digits in the password, then positions with non-digits could also be selected as needed.) For example, by using the last technique for the password 42hungry and t=2, the honeywords 20hungry and 32hungry may be generated. Many users have the propensity to choose the numbers included in passwords related to a special date, e.g. birthday, an- niversary or an important historical event. For example 3.6 percent of the hacked Adobe Department of Computer Science And Engineering 5
  • 13. Achieving Flatness: Selecting the Honeywords from Existing User Passwords password hints are related to a date [8]. In the light of this fact, it is highly possible that such a password involves a digit sequence like 19xx, 20xx or xx where xx represents the last two digits of the date. For those passwords by applying the chaffing-by-tweaking-digits method, the date digits will be replaced with the randomly selected digits. Hence an ad- versary who has W i of a user u i may easily identify honeywords and recover the correct password. When examine publicly available leaked passwords hacked from RockYou web- site (approximately 32 million entries) [9], it observe that the passwords of the numerous users include such a pattern, e.g. junexxxx pattern is selected as a password by 1,244 users, where xxxx is a date and starts with 19 or 20. Another example should be the password alex1992 which is seen 47 times in the RockYou password list: Suppose the following honeywords are generated with t= 4 and k = 9 for this password. Note that the digits in the honeywords seem not relevant, but the correct password alex1992 makes sense for an adversary. alex6323 alex9058 alex1992 alex1270 alex0976 alex2785 alex5469 alex8147 alex9705 Many users prefer to append consecutive numbers to their password heads, like ’123’, ’1234’, due to the tendency of users to choose rememberable number patterns. By con- sidering the RockYou leaked password database, realize that about 0:8 percent of all user passwords—excluding the ones in the top 1,000—ends with ’123’ or ’1234’ and begins with letters at least one length. The vulnerability issued with the date patterns described above is also valid in those passwords, i.e., an adversary may distinguish the correct pass- word from the sweetwords by just investigating the end digit patterns. Indeed, the chaffing by tweaking method suffers from these types of passwords, because replacing characters of the same type randomly will give the same hint to an adversary in extracting the cor- rect password. Similar patterns and examples of user habits in digit selections can be ex- Department of Computer Science And Engineering 6
  • 14. Achieving Flatness: Selecting the Honeywords from Existing User Passwords tended. From a broader perspective, these examples show that users mostly do not choose the digits or letters in passwords randomly, so a randomly replacing technique like this model leads an adversary to make a natural selection. In particular, believe that deploying the “chaffing-by-tweaking” model, it is hard to fulfill aims of the honeyword scheme, i.e., all the adversary needs to do is to have a human sense. 3.2 Chaffing-with-a-Password-Model This method generates honeywords using a probabilistic model of real passwords; this model might be based on a given list L of thousands or millions of passwords and perhaps some other parameters. (Note that generating honeywords solely from a published list L as honeywords is not in general a good idea: such a list may also be available to the adversary, who could use it to help identify honeywords.). Unlike the previous chaffing methods, this method does not necessarily need the password in order to generate the honeywords, and it can generate honeywords of widely varying strength. It consists of mainly two methods 3.2.1 Modeling syntax In this scheme, the password is parsed into a sequence of tokens, each representing a dis- tinct syntactic element or a word, number, or set of special characters. For example, the password, mice3blind Might be decomposed into the token sequence W4—D1—W5, meaning a 4-letter word followed by a 1-digit number and then a 5-letter word. Honeywords are then generated by replacing tokens with randomly selected values that match the tokens. For example, the choice W4 gold, D1 5, W5 rings would yield the honeyword. gold5rings Department of Computer Science And Engineering 7
  • 15. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Replacements for word tokens are selected from a dictionary provided as input to the generation algorithm. 3.2.2 simplex model Simple model generates honeywords through a password list: First a password list L is built by combining numerous real passwords and random passwords of varying lengths. Then a random word is picked from the list with a length of d. Moreover, with a probability of 0.8 some honeywords are generated as ”tough nuts” which will be explained in the next part. honeyword characters are created by replacing characters of randomly selected words of L in a probabilistic manner Leaked password databases have shown that some passwords have a well-known pattern. For example all of the following passwords are involved in the list of 10,000 most common passwords [10]. bond007 007bond james007 007007 Considering the modeling syntax method, one can conclude that the honeyword sys- tem losses its effectiveness against such passwords, i.e., the correct password has become noticeably recognized by an adversary. In fact, this problem seems an inherent weakness of randomly replacement based honeyword methods. Since character groups or individ- ual characters are replaced by a picked character/characters, the content integrity of such passwords would be broken and the correct password becomes quite salient. 3.3 Chaffing with Tough Nuts In this method, the system intentionally injects some special honeywords, named as tough nuts, such that inverting hash values of those words is computationally infeasible, e.g. fixed length random bit strings should be set as the hash value of a honeyword. An illustrative ex- ample for a tough nut is given in [9] as ’9,50PEe[KV.0?RIOtcL-:IJ”b+Wol !*]! NWT/pb’. Department of Computer Science And Engineering 8
  • 16. Achieving Flatness: Selecting the Honeywords from Existing User Passwords It is stated that the number and positions of tough nuts are selected ran- domly. By means of this, it is expected that the adversary cannot seize whole sweetword set and some sweet- words will be blank for her, thereby deterring the adversary to realize her attack. In such a situation the adversary may pause before attempting login with cracked passwords. Tough nuts are recommended to be used together with other methods to render the ad- versary’s work more challenging and exhaust the attacker. Nevertheless, it has remained an open question, what is the optimal strategy for an adversary when tough nuts are ex- perienced. from this infer that “tough nuts” method is a double-edgedsword: Numerous unknowns in the password list may discourage an adversary to proceed mounting her at- tack. On the other hand, an adversary may suppose that most of the passwords made up of simple words and digit combinations, not a tough nut. Hence, it is reasonable for this adversary to conduct her classic attack with skipping tough nuts contrarily to authors’ ex- pectations. Note that for this attack strategy, entropy contributed by the honeywords is decreased, because the tough nuts are ignored by the adversary. 3.4 Chaffing with Hybrid Method It is possible to combine the benefits of different honeyword generation strategies by com- posing them into a “hybrid” scheme. Hybrid method is combining the strength of differ- ent honeyword generation methods, e.g. chaffing-with a password-model and chaffing- by-tweaking-digits. By using this technique, random password model will yield seeds for tweaking-digits to generate honeywords. For example let the correct password be ap- ple1903. Then the honeywords angel2562 and happy9137 should be produced as seeds to chaffing-by-tweaking-digits. For t = 3 and k = 4 for each seed, the sweetword table given below may be attained: Here is a simple hybrid scheme: • Use chaffing-with-a-password-model on user-supplied password p to generate a set of a ( 2) seed sweetwords W’, one of which is the password. Some seeds may be “tough nuts.” Department of Computer Science And Engineering 9
  • 17. Achieving Flatness: Selecting the Honeywords from Existing User Passwords • Apply chaffing-by-tweaking-digits to each seed sweetword in W’ to generate b (( 2) 2) tweaks (including the sweetword itself). This yields a full set W of k = a b sweetwords. • Randomly permute W. Let c(i) be the index of p such that p = w c (i), as usual. Because the hybrid method is legacy-UI, achieves excellent flatness under reasonable assumptions, and provides resistance to DoS attacks, it is recommended honeyword generation method. Department of Computer Science And Engineering 10
  • 18. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 4 4 Achieving Flatness: Selecting the Honeywords from Existing User Passwords In order to handle the defects of honeyword generation method, a new method of se- lecting the honeywords from existing user passwords are proposed. This for each account k-1 existing password indexes, which we call honeyindexes, are randomly assigned to a newly created account of u i , where k greter than or equal to 2. Moreover, a random index number is given to this account and hash of the correct password is kept with the correct index in a list. In another list u i is stored with an integer set which is consisted of the honeyindexes and the correct index. The tentative password indexes hamper an adversary to make a correct guess and she cannot be easily sure about which index is the correct one. It is equivalent to say that to create uncertainty about the correct password, propose to use indexes that map to valid passwords in the system. This involves different steps as follows. 4.1 Initialization First, T fake user accounts (honeypots) are created with their passwords. Also an index value between [1, N], but not used previously is assigned to each honeypot randomly. Then k-1 numbers are randomly selected from the index list and for each account a honeyindex set is built like X i =(xi,1,xi,2, . . . x,i,k) one of the elements in Xi is the correct index (sugarindex) as ci. Now, use two password files as F1 and F2 in the main server: F1 stores username and honeyindex set, (h u i, X i ) pairs as shown. Where h u i denotes a honeypot account. Here each entry has two elements. The first one is the username of the account and the second element is honeyindex set for the respective account. F2 keeps the index number and the corresponding hash of the password,(ci, H(pi) ), as depicted. Let SI Department of Computer Science And Engineering 11
  • 19. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Figure 1: Password File F1 for the proposed model. Figure 2: Password File F2 for the proposed model. denote the index column and SH represent the corresponding password hash column of F2 . Then the function f(ci) that gives password hash value in SH for the index value ci can be defined as: f (ci) = H(pi)SH less than ci, H(pi) greater than stored pair of ui and ci SI. 4.2 Registration After the initialization process, system is ready for user registration. In this phase, a legacy- UI is preferred, i.e., a username and password are required from the user as ui , pi to register the system. here use the honeyindex generator algorithm Gen(k,SI) ci ,Xi , which outputs ci as the correct index for ui and the honeyindexes Xi =(xi,1,xi,2, . . . x,i,k). Gen(k, SI )produces Xi by randomly selecting k- 1 numbers from SI and also randomly picking a number ci .SI. so ci becomes one of the elements of Xi . One can see the generator Department of Computer Science And Engineering 12
  • 20. Achieving Flatness: Selecting the Honeywords from Existing User Passwords algorithm Gen(k, SI) is different from the procedure described in the previous method, since it outputs an array of integers rather than a group of honeywords. Last, periodically honeyindexes of each account should be regenerated. Periodically honeyindexes of each account should be regenerated. As the number of users in the system increases to provide uniform distribution of honeyindexes across SI , fresh honeyindex set must involve numbers from this new larger list. Otherwise, passwords of newly created accounts would not be used as honeywords in the system and it may give a clue to the adversary to in guessing the correct password of these new accounts. Note that within a uniform distribution each password is assigned as a honeyword about k times, because there are N passwords but Nk honeywords are needed. 4.3 Honeychecker The system may utilize an auxiliary secure server called the honeychecker” to assist with the use of the honeywords. Since we are assuming that the computer system is vulnerable to having the file F of password hashes stolen, one must also assume that salts and other hashing parameters can also be stolen. Thus, there is likely no place on the computer system where one can safely store additional secret information with which to defeat the adversary. The honeychecker is thus a separate hardened computer system where such secret information can be stored. assume that the computer system can com- municate with the honeychecker when a login attempt is made on the computer system or when a user changes her pass word. Assume that this communication is over dedicated lines and/or encrypted and authenticated. The honeychecker should have extensive in- strumentation to detect anomalies of various sorts. The auxiliary service honeychecker is employed to store correct indexes for each account and assume that it communicates with the main server through a secure channel in an authenticated manner. The role and primary process of the honeychecker is ensure security. It is a hardened computer system where such secret Department of Computer Science And Engineering 13
  • 21. Achieving Flatness: Selecting the Honeywords from Existing User Passwords information can be stored. , except that ( i, c i )pair is replaced with ( u i , c i )pair in our case. The honeychecker executes two commands sent by the main server: Set: c i ,u i Sets correct password index c i for the user u i Check: u i , j Checks whether u i for u i is equal to given j Returns the result and if equality does not hold, notifies system a honeyword situation. Depending on the policy chosen, the honeychecker may or may not reply to the com- puter system when a login is attempted. When it detects that something is a miss with the login attempt, it could signal to the computer system that login should be denied. On the other hand it may merely signal a silent alarm to an administrator, and let the login on the computer system proceed. In the latter case, call the honeychecker a login monitor rather than a honeychecker. 4.4 Login process System first checks whether entered password, g, is correct for the corresponding user- name u i .To accomplish this, first the Xi of the corresponding u i is attained from the F1 file. Then, the hash values stored in F2 file for the respective indices in Xi are compared with H(g) to find a match. If a match is not obtained, then it means that g is neither the correct password, nor one of the honeywords, i.e., login fails. On the other hand, if H(g) is found in the list, then the main server checks whether the account is a honeypot. If it is a honeypot, then it follows a predefined security policy against the password disclosure scenario. Honeychecker controls whether j= c i and returns the result to the main server. At the same time, if it is not equal, then it assured that the proffered password is a honeyword and adequate actions should be taken depending on the policy. Department of Computer Science And Engineering 14
  • 22. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 5 5 Security Analysis Here discuss the security of the proposed model against some possible attack scenarios. Suppose that the adversary can invert most or many of the password hashes in file F2. It leads to the Introduction of a DoS attack sensitivity. In which an adversary deliberately tries to login with honeywords to trigger a false alarm. Hence, the suggested policies given below mostly focuses on minimizing the DoS vulnerabilities. • When a user logins with a wrong password , If this wrong password is the password of another account in the system and the same user hits this situation more than once the system should turn on additional logging of the user’s activities to detect a possible DoS attack and to attribute the adversary, besides the incorrect login attempt case proceeds as usual. • If a password, whose hash value is in the SH of the F2, is entered in wrong login attempts for more than once, the system should take actions against a possible DoS alarm. • In order to increase the number of unique passwords in the system, i.e., reduce common passwords, users should be forced to adhere to a password-composition policy like basic8 (eight or more characters), in the password creation .The main reason behind this item is to minimize the number of common passwords in the system. • A username should not be correlated with its password. • To avoid occurrence of a high number of common passwords in the system. 5.1 DoS Attack Under this attack scenario the adversary does not have the password files and their contents. Her main purpose is to trigger a false alarm and to raise a honeyword alarm situation, i.e., Department of Computer Science And Engineering 15
  • 23. Achieving Flatness: Selecting the Honeywords from Existing User Passwords depending on the policy some or all parts of the system may be out of service or disabled unnecessarily. Suppose that the adversary has knowledge m +1 username and respective passwords in the system. Method for attacking the system is creating m accounts with the same password as pz, while a single account, u y , has different password like py and entering the system with the username uy and the password pz. If pz is assigned by the system as a honeyword, then the adversary mounts a DoS attack by entering with the system ( u y , p z ) pair LetP r(p z W y ) the probability that P z is assigned as one of the honeywords for u y it is also the success probability of the adversary for this attack. Since there are N-m passwords different from p 1 z and k honeywords are assigned to each account. When a password in the system is entered incorrectly by the same username or different usernames for more than once, the system suspects about a DoS attack and a DoS alarm should be triggered depending on the next activities of the user. Hence, the adversary cannot increase her chance by making more trials for the same known password p z without being noticed by the system. 5.2 Password Guessing In this attack, assume that the adversary has plundered password files F1 and F2 from the main server and also obtained plaintext passwords by inverting the hash values. Extracted F2 file (after inverting hashes) gives ( indexnumber; password ) pairs to the adversary, but they are not directly connected to a specific username. By just analyzing this, she cannot exactly determine which password belongs to which user. If the adversary randomly picks an account from the list in F1 and then tries to login with a guessed password, then her suc- cess will depend on: First, the selected account is not a honeypot account. Second guessing the correct password pi out of k sweetwords. Otherwise, the adversary will be caught by the system due to a honeyword or a honeyspot. Let Pr(success) represent the probability that the adversary makes a correct guess for a randomly picked username. Below, express Department of Computer Science And Engineering 16
  • 24. Achieving Flatness: Selecting the Honeywords from Existing User Passwords the probability that the adversary, who makes random trials, is not detected by the system, suppose the number of honeypots in the system is T: equation given as The attacker picks password pi with 5 percent probability. Conversely, the adversary will caught by the system in password guessing attack with a chance of 95 percent, as long as the password does not carry any information about the username. 5.3 Brute-Force Attack A honeypot account is attempted then system follows a strong policy e.g. demanding all users to renew their passwords. From binomial distribution the probability that the adver- sary hits at least one honeypot in her trials is P r(hit greter than 1) = 1 - (N - T /N ). Even in this case our approach provides resistance against such an attack, because for T =1000, N =1000000 values this probability tends to 0:5. It is equivalent to say that in brute-force guess attack, it is likely that the adversary hits a honeypot and system detects the password disclosure situation. 5.4 Same User in Multiple Systems The attack scenarios such that a user reuse passwords on two different systems as A and B are investigated. In [2], the attack scenarios such that a user reuse passwords on two different systems as A and B are investigated. For example suppose A uses honeywords and B has prevalent password storage techniques and a target user ui shares her password across these two systems. In this case, if an adversary compromises B, it is apparent that honeywords assigned for this user in A contributes nothing at all. Conversely, if the adver- sary pilfers passwords from A, she can try all sweetwords of the common user u i in A to verify which is the correct password by submitting to B. If a honeyword is entered to B, it results in an incorrect password screen, while the adversary successfully logins in case of the correct password. Department of Computer Science And Engineering 17
  • 25. Achieving Flatness: Selecting the Honeywords from Existing User Passwords This model is also vulnerable these scenarios: Indeed, if the password is not same but cor- related for a user in two distinct domains, then first scenario may be still valid. For example a user has password bond007 in B which does not use honeywords. On the other side same user has password james007 in domain A which assigns honeywords to these user. Then it is highly possible that an adversary extracts the correct password from the sweetwords, if she has knowledge of bond007. So, both of the original method and our approach cannot provide resistance against such conditions, as long as users select same or highly correlated passwords in different domains. Department of Computer Science And Engineering 18
  • 26. Achieving Flatness: Selecting the Honeywords from Existing User Passwords Chapter 6 6 Comparison of Password Generation Models In this section, detail a comparison of the generation methods including the new model with respect to storage cost, DoS resistance and flatness of each algorithm. In a tradi- tional password based system with a number of N users, an adversary may have at most N user/password pairs through a cracking process. Suppose that all cryptographic efforts in recovering a plain text word from the respective hash string stored in password hash file is represented as a single hash inversion operation. Then, by considering the traditional sys- tem, for each user the attacker has to perform one hash inversion operation, while for the whole system N operations must be executed. According to the Juels and Rivest’s method [2] she needs to launch k operations for a specific user and kN operations for the whole space, since for each user k sweetwords are assigned. Thus, one can see that the adversary has to spend k times more effort for each case in this method. Now, archiving flatness, if the attacker focuses on a specific user, she must still try k hash inversions to reveal all possible passwords for this target user. However, since each honeyword is indeed password of another user, revealing all passwords in the system requires N operations as in the case of the traditional system. Therefore, taking the total password-cracking cost of the adver- sary for the whole system into account, thus say that Juels and Rivest’s model requires higher effort for an attacker in retrieving plaintext passwords. Notice that, this feature of our model at worst reduces total hash inversion work to it was at the traditional model. This paper discusses what can be done in terms of detecting the password disclosure, when the whole plain text forms of the passwords are available to an adversary, rather than dealing with making the adversary’s work harder in getting plain text passwords. Department of Computer Science And Engineering 19
  • 27. Achieving Flatness: Selecting the Honeywords from Existing User Passwords 6.1 Storage Cost A typical password file system requires hN plus storage for usernames, where N stands for the number of users in the system and h denotes length of password hash in bytes. On the other hand this is khN for , where k denotes the number of the sweetwords assigned to each account. Notice that here ignored the storage cost stemmed from usernames, since it is not changed after adaptation of the honeywords what can be done in terms of detecting the password disclosure, when the whole plaintext forms of the passwords are available to an adversary. For this approach assume that each index requires 4 bytes and the storage cost becomes, 4kN + hN + 4N. To measure the gain in storage compared to original method, give the ratio as: (4kN + hN + 4N)/khN 6.2 DoS Resistance Probability of a common password is assigned as a honeyword for a specific user will be negligibly low.use of real passwords as honeywords does not cause a DoS weakness. This proposed scheme uses password list in the system as honeywords of a user. However as the adaptation of a strong password composition policy likely prevents occurrence of com- mon passwords in high numbers, i.e., probability of a common password is assigned as a honeyword for a specific user will be negligibly low. Although, an adversary may hit a real password using a common password in the system, it is not necessarily a honeyword for the corresponding account. Thus, use of real passwords as honeywords does not cause a DoS weakness. Last but not least issue is that in achiving flatness in addition to honeywords, honeypots are employed to detect a password disclosure. This facilitates showing a strong response to actions of an adversary, because entering a honeypot account with one of its Department of Computer Science And Engineering 20
  • 28. Achieving Flatness: Selecting the Honeywords from Existing User Passwords sweetwords ensures occurrence of a password leakage. 6.3 Flatness For the proposed model as described previously passwords of other users become honey- words for a user. Hence, this model satisfies perfect flatness as long as the correct password is not correlated with username as pointed in previously. And investigation of a target user profile (age, gender, religion etc.) gives no advantage to an adversary in password guess- ing. Comparing our method with the simple model, one can see that our method is better than the latter in terms of flatness: The honeywords in the former carry all characteristics of the real passwords in the same system, while the simple model generates honeywords artificially despite using real passwords of different list. For example, it is well known that users choose segregate their passwords for more- secure and low-secure sites , it is presented that reuse rate of weaker passwords is higher than those of stronger passwords, since the stronger ones are usually created for higher- security sites e.g. banking accounts. Consequently, a password list from a lower-security site password list which is used in the simple model for a higher-security site may not be natural. 6.4 Usability In this part, compare the proposed approach with the simple model in terms of practicality and ease of use. By considering the simple model whose password list is constructed with composition of numerous real passwords and randomly generated passwords, one can argue about how the real password source is provided. If the same resource of real passwords is used in different sites, similar inherited weaknesses related to honeyword generation may be observed. Nonetheless, if use of publicly available password lists is forbidden , then it will not be easy to get required large number of real passwords. Conversely, proposed approach does not need to use an external real password resource in honeyword generation. Department of Computer Science And Engineering 21
  • 29. Achieving Flatness: Selecting the Honeywords from Existing User Passwords 7 Conclusion In conclusion, In this study, analyzed the security of the honeyword system and ad- dressed a number of flaws that need to be handled before successful realization of the scheme. In this respect, point out the strength of the honeyword system directly depends on the generation algorithm, i.e., flatness of the generator algorithm determines the chance of distinguishing the correct password out of respective sweetwords. Another point that would like to stress is that defined reaction policies in case of a honeyword entrance can be exploited by an adversary to realize a DoS attack. This will be a serious threat if the chance of an adversary in hitting a honey-word given the respective password is not negligible. To combat such a problem, also known as DoS resistance, low probability of such an event must be guaranteed. This can be achieved by employing unpredictable honeywords or altering system policy to minimize this risk. Hence, noted that the security policy should strike a balance between DoS vulnerability and effectiveness of honeywords This model satisfies perfect flatness as long as the correct password is not correlated with username as pointed in previously. The honeywords in the former carry all char- acteristics of the real passwords in the same system, while the simple model generates honeywords artificially despite using real passwords of different list. If the same resource of real passwords is used in different sites, similar inherited weaknesses related to honey- word generation may be observed. proposed approach does not need to use an external real password resource in honeyword generation, rather it just feeds itself. From the anal- ysis the proposed method will claim that this approach is simpler and more practical for implementation. Department of Computer Science And Engineering 22
  • 30. References [1] Erguler, ” Achieving Flatness : Selecting the Honeywords from Existing User Pass- words ,” in Proc. IEEE Transactions on Dependable And Secure Computing , 2016, Vol. 13, No. 2. [2] A. Juels and R. L. Rivest, “Honeywords: Making password cracking detectable,” in Proc. ACM SIGSAC Conf. Computer Communication. Security, 2013, pp. 145–160. Comput. Linguistics. , vol. 35, no. 3, pp. 399-433, 2009.Department of Computer Sci- ence, University of Arizona: Tucson, AZ, USA, 1994. [3] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh, “Kamouflage: Loss resistant pass- word management,” in Proc. 15th Eur. Conf. Res. Computer Security, 2010, pp. 286–302. [4] F. Cohen, “The use of deception techniques: Honeypots and decoys,” Handbook In- form. Security, vol. 3, pp. 646–655, 2006. 23