The Impact of Exposed Passwords on Honeyword Efficacy

by   Zonghao Huang, et al.

Honeywords are decoy passwords that can be added to a credential database; if a login attempt uses a honeyword, this indicates that the site's credential database has been leaked. In this paper we explore the basic requirements for honeywords to be effective, in a threat model where the attacker knows passwords for the same users at other sites. First, we show that for user-chosen (vs. algorithmically generated, i.e., by a password manager) passwords, existing honeyword-generation algorithms largely fail to achieve reasonable tradeoffs between false positives and false negatives in this threat model. Second, we show that for users leveraging algorithmically generated passwords, state-of-the-art methods for honeyword generation will produce honeywords that are not sufficiently deceptive, yielding many false negatives. Instead, we find that only a honeyword-generation algorithm that uses the same password generator as the user can provide deceptive honeywords in this case. However, when the defender's ability to infer the generator from the (one) account password is less accurate than the attacker's ability to infer the generator from potentially many, this deception can again wane. Taken together, our results provide a cautionary note for the state of honeyword research and pose new challenges to the field.


page 1

page 2

page 3

page 4


Bernoulli honeywords

Decoy passwords, or “honeywords,” planted in a credential database can a...

Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques

We present a simple yet potentially devastating and hard-to-detect threa...

Graphing Website Relationships for Risk Prediction: Identifying Derived Threats to Users Based on Known Indicators

The hypothesis for the study was that the relationship based on referrer...

Knife and Threat Detectors

Despite rapid advances in image-based machine learning, the threat ident...

Detecting LLM-Generated Text in Computing Education: A Comparative Study for ChatGPT Cases

Due to the recent improvements and wide availability of Large Language M...

Experimenting with ChatGPT for Spreadsheet Formula Generation: Evidence of Risk in AI Generated Spreadsheets

Large Language Models (LLM) have become sophisticated enough that comple...

Building and Measuring Privacy-Preserving Predictive Blacklists

Collaborative security initiatives are increasingly often advocated to i...

Please sign up or login with your details

Forgot password? Click here to reset