Wearenotsurewhetherthisapproachisnew;wehavenotseenanyliteraturedescrib - PDF document

Wearenotsurewhetherthisapproachisnew;wehavenotseenanyliteraturedescribingpreciselythesamepro-posal.(Letusknowifyouhave!)Perhapstheclosestrelatedworkwe'reawareofistheKamou agesystemofBojinovetal.[6].SeeSection8forfurtherdetails.Tothebestofourbelief,theterm\honeyword"rstap-pearedinthatwork.Alsocloselyrelatedtoourproposalistheanecdotallyreportedpracticeofplacingwhole,bo-guspasswordles(\honeyles")onsystemsandwatchingforsubmissionofanypasswordtheycontainassignallinganintrusion.Inanycase,ourhopeisthatthisnotewillhelptoencouragetheuseofhoneywords.2TechnicalDescription2.1ContextWeassumeacomputersystemwithnusersu1;u2;:::;un;hereuiistheusernamefortheithuser.By\computersystem"(orjust\system"forshort)wemeananysystemthatallowsauserto\login"aftershehasprovidedausernameandapassword;thisincludesmulti-usercom-putersystems,websites,smartphones,applications,etc.Weletpidenotethepasswordforuserui.Thisisthecorrect,legitimate,password;itiswhatuseruiusestologintothesystem.Incurrentpractice,thesystemusesacryptographichashfunctionHandstoreshashesofpasswordsratherthanrawpasswords.Thatis,thesystemmaintainsaleFlistingusername/password-hashpairsoftheform(ui;H(pi))fori=1;2;:::;n.OnUnixsystemstheleFmightbe/etc/passwdor/etc/shadow.ThesystemstorespasswordhashesratherthanrawpasswordssothatanadversarywithaccesstoFdoesnotndoutthepasswordsdirectly;hemustinvertthehashfunction(computepifromH(pi))tondoutthepasswordforuserui(seeEvansetal.[1]andPurdy[33]).ThecomputationofthehashfunctionHmay(should!)involvetheuseofsystem-specicoruser-specicparame-ters(\salts");thesedetailsdon'tmattertoushere.Whenauserattemptstologin,theleFischeckedforthepres-enceofthehashoftheproeredpasswordintheuser'sentry(seeMorrisandThompson[26]).2.2AttackscenariosTherearemanyattackscenariosrelatingtopasswords,includingthefollowingsix:Stolenlesofpasswordhashes:Anadversaryissomehowabletostealtheleofpasswordhashes,andsolveformanypasswordsusingoinebrute-forcecomputation.Hemaymoregenerallybeabletostealthepasswordhashlesonmanysystems,orononesystematvarioustimes.Easilyguessablepasswords:Asubstantialfrac-tionofuserschoosepasswordssopoorlythatanad-versarycansuccessfullyimpersonateatleastsomeusersofasystembyattemptingloginswithcom-monpasswords.(SeeBonneau[7,8].)Schecteretal.[36]suggestghtingthisthreatbyrequiringuserstouseuncommonpasswords.Visiblepasswords:Auser'spasswordiscom-promisedwhenanadversaryviewsitbeingentered(shoulder-surng),oranadversaryseesitonayel-lowstickieonamonitor.Aone-timepasswordgen-erator3suchasRSA'sSecurIDtokenprovidesgoodprotectionagainstthisthreat.Samepasswordformanysystemsorservices:Ausermayusethesamepasswordonmanysystems,sothatifhispasswordisbrokenononesystem,itisalsotherebybrokenonothers.Passwordsstolenfromusers:Anadversarymaylearnuserpasswordsbycompromisingendpointde-vices,suchasphonesorlaptops,usingmalwareorbyperpetratingphishingattacksagainstusers.Passwordchangecompromised:Themecha-nismforallowinguserstochangeorrecovertheirpasswordsisdefectiveorcompromised,soanadver-sarycanlearnauser'spassword,orsetittoaknownvalue.Wefocusontherstattackscenariowhereanadver-saryhasobtainedacopyoftheleFofusernamesandassociatedhashedpasswords,andhasobtainedthevaluesofthesaltorotherparametersrequiredtocomputethehashfunctionH.Inthisscenario,theadversarycanperformabrute-forcesearchovershortorlikelypasswords,hashingeachone(withsaltingifnecessary)untiltheadversarydeter-minesthepasswordsforoneormoreusers.(Seeforex-ampleWeiretal.[40].)Assumingthatpasswordsarethe 3http://en.wikipedia.org/wiki/One-time_password2 onlyauthenticationmechanisminplace,theadversarycanthenlogintotheaccountsofthoseusersinareliableandundetectedmanner.Inthispaper,weassumethattheadversarycaninvertmostormanyofthepasswordhashesinF.Weassumethattheadversarydoesnotcompromisethesystemonapersistentbasis,directlyobservingandcap-turingnewlycreatedpasswordsandhoneywords.(Cer-tainly,theadversaryrisksdetectionthersttimehetrieslogginginusingacrackedpassword,sincehemaybeus-ingahoneyword;afterthat,theabilityofthesystemtodetectfurtherattemptstologinusingcrackedpasswordsmaybecompromisediftheadversaryisabletomodifytheloginroutineanditschecks,orthepassword-changeroutine.)Althoughourmethodsaredirectedtotherstattackscenario,someofourapproaches(e.g.,thetake-a-tailmethod)alsohavebenecialeectsonpasswordstrength,thushelpingtodefeattheotherattacksaswell.2.3HoneycheckerWeassumethatthesystemmayutilizeanauxiliarysecureservercalledthe\honeychecker"toassistwiththeuseofthehoneywords.Sinceweareassumingthatthecomputersystemisvul-nerabletohavingtheleFofpasswordhashesstolen,onemustalsoassumethatsaltsandotherhashingparameterscanalsobestolen.Thus,thereislikelynoplaceonthecomputersystemwhereonecansafelystoreadditionalsecretinformationwithwhichtodefeattheadversary.Thehoneycheckeristhusaseparatehardenedcom-putersystemwheresuchsecretinformationcanbestored.Weassumethatthecomputersystemcancommunicatewiththehoneycheckerwhenaloginattemptismadeonthecomputersystem,orwhenauserchangesherpass-word.Weassumethatthiscommunicationisoverded-icatedlinesand/orencryptedandauthenticated.Thehoneycheckershouldhaveextensiveinstrumentationtodetectanomaliesofvarioussorts.Wealsoassumethatthehoneycheckeriscapableofraisinganalarmwhenanirregularityisdetected.Thealarmsignalmaybesenttoanadministratororotherpartydierentthanthecomputersystemitself.Dependingonthepolicychosen,thehoneycheckermayormaynotreplytothecomputersystemwhenaloginisattempted.Whenitdetectsthatsomethingisamisswiththeloginattempt,itcouldsignaltothecomputersystemthatloginshouldbedenied.Ontheotherhanditmaymerelysignala\silentalarm"toanadministrator,andlettheloginonthecomputersystemproceed.Inthelattercase,wecouldperhapscallthehoneycheckera\loginmonitor"ratherthana\honeychecker."Ourhoneycheckermaintainsasingledatabasevaluec(i)foreachuserui;thevaluesaresmallintegersintherange1tok,forsomesmallintegerparameterk(e.g.k=20).Thehoneycheckeracceptscommandsofexactlytwotypes:Set:i,jSetsc(i)tohavevaluej.Check:i,jChecksthatc(i)=j.Mayreturnresultofchecktorequestingcomputersystem.Mayraiseanalarmifcheckfails.Designprinciples.Thecomputersystemandhoney-checkertogetherprovideabasicformofdistributedsecu-rity.Adistributedsecuritysystemaimstoprotectsecretsevenwhenanadversarycompromisessomeofitssystemsorsoftware.Diversifyingtheresourcesinthesystem|forexample,placingthecomputersystemandhoneycheckerinseparateadministrativedomainsorrunningtheirsoft-wareondierentoperatingsystems|makesithardertocompromisethesystemasawhole.Wehavedesignedtheprotocolsothatcompromiseofthehoneycheckerdatabasebyitselfdoesnotallowanad-versarytoimpersonateauser.Infact,thehoneycheckeronlystoresrandomlyselectedintegers(theindexc(i)foreachui).Indeed,oneofourdesignprinciplesisthatcompromise(i.e.disclosure)ofthehoneycheckerdatabaseatworstonlyreducessecuritytothelevelitwasatbeforetheintro-ductionofhoneywordsandthehoneychecker.DisclosureoftheleFthenmeansthatanadversarywillnownolongerbefooledbythepresenceofthehoneywords;hewilljustneedtocracktheusers'actualpasswords,sincehenowknowswhichhashvaluesarefortherealpass-words,andwhichhashvaluesareforthehoneywords.AswediscussinSection8,otherdistributedap-proachestopasswordprotectionarepossible.Distributedcryptographicprotocolsforinstancecanpreventdisclo-sureofpasswordsandevenpasswordhashescompletelyagainstcompromiseofthecomputersystem.Unlikesuchschemes,though,honeywordscanbeincorporatedintoexistingpasswordsystemswithfewsystemchangesandlittleoverheadincomputationandcommunication.Wealsodesignthehoneycheckerinterfacetobeex-tremelysimple,sothatbuildingahardenedhoneycheckershouldberealistic.Importantly,thehoneycheckerneed3 Iftheadversaryhasenteredoneoftheuser'shoney-words,obtainedforexamplebybrute-forcingthepass-wordleF,thenanappropriateactiontakesplace(de-terminedbypolicy),suchassettingoanalarmornotifyingasystemadminis-trator,lettingloginproceedasusual,lettingtheloginproceed,butonahoneypotsystem,tracingthesourceofthelogincarefully,turningonadditionalloggingoftheuser'sactivities,shuttingdownthatuser'saccountuntiltheuseres-tablishesanewpassword(e.g.bymeetingwiththesysadmin),shuttingdownthecomputersystemandrequiringalluserstoestablishnewpasswords.Howdoestheloginroutinedeterminewhetherg=pi(thatis,thatthegivenwordisthepassword)?IfthehashH(g)ofgdoesnotoccurintheleFintheuserui'sentryHi,thenwordgisneithertheuser'spasswordnoroneoftheuser'shoneywords,sologinisdenied.Otherwisetheloginroutineneedstodeterminewhethergistheuser'spassword,oritismerelyoneoftheuser'shoneywords.TheloginroutinecandeterminetheindexjsuchthatH(g)=vi;j,buttheloginroutinedoesn'tknowwhetherj=c(i),inwhichcasegisindeedthepassword,ornot,inwhichcasegisjustahoneyword.Thetablecismaintainedsecurelyintheseparatese-cure\honeychecker"serverdescribedinSection2.3.Thecomputersystemsendsthehoneycheckeramessageoftheform:Check:i,jmeaning:\Someonehasrequestedtologinasuseruiandhassuppliedsweetwordj(thatis,wi;j)inresponsetotheloginpasswordprompt.Pleasedetermineifj=c(i),andtaketheappropriateactionaccordingtopolicy."Thehoneycheckerdetermineswhetherj=c(i);ifnot,analarmisraisedandotheractionsmaybetaken.Thehoneycheckermay(ormaynot,dependingonpolicy)thenrespondwitha(signed)messageindicatingwhetherloginshouldbeallowed.Itmaybedesirablefora\Check"messagetobesenttothehoneychecker,evenwhentheproeredpasswordgisnotonthelistWiofsweetwords;inthiscasethecheckmessagecouldspecifyj=0.Inthisvariantthehoney-checkerisnotiedofeveryloginattempt,andcanobservewhenapasswordguessingattackisinprogress.Itmightalsobedesirablefora\Check"messagetoincludeadditionalinformationthatmightbeforensicallyuseful,suchastheIPaddressoftheuserwhoattemptedtologin.Wedon'tpursuesuchideasfurtherhere.Manysystemssuspendanaccountif(say)veormoreunsuccessfulloginattemptsaremade.Withourap-proach,thislimitislikelytobereachedevenifthead-versaryhasaccesstoWi:Thechancethattheuser'spassworddoesnotappearintherstveelementsofarandomorderingofalistWioflength20containingtheuser'spasswordisexactly75%.However,whenfailedat-temptsaremadewithhoneywordsratherthanarbitrarynon-sweetwords,areducedlimitmaybeappropriatebe-forelockoutoccursand/oradditionalinvestigationsareundertaken.2.6Approach{ChangeofpasswordWhenuseruichangesherpassword,orsetsitupwhenheraccountisrstinitialized,thesystemneedsto:useprocedureGen(k)toobtainanewlistWiofksweetwords,thelistHioftheirhashes,andthevaluec(i)oftheindexofthecorrectpasswordpiinWi.securelynotifythehoneycheckerofthenewvalueofc(i),andupdatetheuser'sentryintheleFto(ui;Hi).Weemphasizethatthehoneycheckerdoesnotlearnthenewpasswordoranyofthenewhoneywords.Allitlearnsisthepositionc(i)ofthehashvi;c(i)ofuserui'snewpasswordintheuser'slistHiinF.Toaccomplishthis,thecomputersystemsendsthehoneycheckeramessageoftheform:Set:i,jmeaning:\Useruihaschangedorinitializedherpass-word;thenewvalueofc(i)isnowj."(Thismessageshouldofcoursebeauthenticatedbythesystemtothehoneychecker.)3SecuritydenitionsWedenethesecurityofahoneywordgenerationalgo-rithmGen,usinganadversarialgame,analgorithmorthoughtexperimentthatmodelsthecapabilitiesoftheadversary.5 askshertotypeitagain,forconrmation).TheUIdoesnottelltheuserabouttheuseofhoneywords,norinteractwithhertoin uenceherpasswordchoice.Aniceaspectoflegacy-UImethodsisthatonecanchangethehoneywordgenerationprocedurewithoutneedingtonotifyanyoneortochangetheUI.Westartwithapasswordpisuppliedbyuserui.Thesystemthengeneratesasetofk�1honeywords\similarinstyle"tothepasswordpi,oratleastplausibleaslegitimatepasswords,sothatanadversarywillhavedicultyinidentifyingpiinthelistWiofallsweetwordsforuserui.Chang:Thepasswordpiispicked,andthenthehoneywordgenerationprocedureGen(k;pi)or\chaprocedure"generatesasetofk�1additionaldistincthoneywords(\cha").Notethatthehoney-wordsmaydependuponthepasswordpi.Thepass-wordandthehoneywordsareplacedintoalistWi,inrandomorder.Thevaluec(i)issetequaltotheindexofpiinthislist.Thesuccessofchangdependsonthequalityofthechagenerator;themethodfailsifanadversarycaneasilydistinguishthepasswordfromthehoneywords.Weproposetwobasicmethodsforchang(andonemethodforembellishingcha).Theyaresomewhatheuristic;thechangapproachingeneraloersnoprov-ableguaranteethatthehoneywordgenerationprocedureGenis at|particularlyiftheuserchoosesherpasswordinarecognizablemanner.Wenote(butdonotdiscussfurther)theobviousfactthatiftherearesyntaxorotherrestrictionsonwhatisallowedasapassword(seeSection6.1),thenhoneywordsshouldalsosatisfythesamerestrictions.4.1.1ChangbytweakingOurrstmethodisto\tweak"selectedcharacterposi-tionsofthepasswordtoobtainthehoneywords.Lettdenotethedesirednumberofpositionstotweak(suchast=2ort=3).Forexample,with\chang-by-tail-tweaking"thelasttpositionsofthepasswordarechosen.Thehoneywordsarethenobtainedbytweakingthecharactersintheselectedtpositions:eachcharacterinaselectedpositionisreplacedbyarandomly-chosencharac-terofthesametype:digitsarereplacedbydigits,lettersbyletters,andspecialcharacters(anythingotherthanaletterofadigit)byspecialcharacters.Forexample,iftheuser-suppliedpasswordis\BG+7y45",thenthelistWimightbe(fortail-tweakingwitht=3andk=4):BG+7q03;BG+7m55;BG+7y45;BG+7o92:Wecallthepassword-tailthe\sugar",whilethehon-eywordtailswecall\honey"(ofcourse).Othertweakingpatternscouldalsobeused,suchaschoosingthelastdigitpositionandthelastspecial-characterposition.With\chang-by-tweaking-digits"thelasttpositionscontainingdigitsarechosen.(Iftherearelessthantdigitsinthepassword,thenpositionswithnon-digitscouldalsobeselectedasneeded.)Hereisanexampleofchang-by-tweaking-digitsfort=2:42*flavors;57*flavors;18*flavors(1)Chang-by-tweaking-digitsistypicalofthe\tweaks"usersoftenusetoderivenewpasswordsfromoldones;seeZhangetal.[42]forextendeddiscussionofpasswordtweaksandamodeloftweaksusedbyusersinpracticetochangetheirpasswords.Thepositionstobetweakedshouldbechosensolelyonthepatternofcharactertypesinthepassword,andnotonthespeciccharactersinthepassword,otherwisethepasswordmightbeeasilydeterminedastheonlysweet-wordcapableofgivingrisetothegivenlistWi.Forchang-by-tail-tweakingweconsidereachwordwijtoconsistofaheadhijfollowedbyat-charactertailtij.Forexample,\Hungry3741"hashead\Hungry3"andtail\741".Thevalueoftneednotbethesameforallusers.Theredoesnotneedtobeanyseparatingcharacterbe-tweentheheadandthetail;theparsingofapasswordintopassword-headandpassword-tailneednotbeobvious.Iftheuserpicksthelastthreecharactersofherpasswordrandomly,thentail-tweakingisimpossibletoreverse-engineer|anadversarycannottellthepasswordfromitstweakedversions,asalltailsarerandom.Other-wise,anadversarymaybeabletotellthepasswordfromthehoneywords:inthefollowinglist,whichisthelikelypassword?57*flavors;57*flavrbn;57*flavctz(2)Thetake-a-tailmethodofthenextsectionxestheproblemofpoorly-chosenpasswordtailsbyrequiringnewpasswordstohavesystem-chosenrandompasswordtails.Chang-by-tweakingworksprettywellasalegacy-UIhoneywordgenerationmethod:itdoesn'trequireuserstofollowanypasswordsyntaxrequirements,otherthanhavingenoughcharactersinthepassword.7 possiblyamongthem.Forexample,whatshouldthead-versarydowiththefollowinglist?gt79,tom@yahoo, ? ,g*7rn45,rabid/30frogs!, ? Havingsome\toughnuts"amongthehoneywordsmightgivetheadversaryadditionalreasontopausebeforediv-inginandtryingtologinwithoneofthecrackedones.Toensurethattheadversarycannottellwhetherthepassworditselfliesamongthesetof\toughnuts,"boththepositionsandthenumberof\toughnuts"addedashoneywordsshouldberandom.4.2Modied-UIpasswordchangesWenowproposeanothermethod,\take-a-tail,"whichuti-lizesamodiedUIforpassword-changes;thepassword-changeUIisjustaslightvariantofthestandardone.Thetake-a-tailmethodisidenticaltothechang-by-tail-tweakingmethod,exceptthatthetailofthenewpasswordisnowrandomlychosenbythesystem,andre-quiredintheuser-enterednewpassword.Thatis,thepassword-changeUIischangedfrom:Enteranewpassword:tosomethinglike:Proposeapassword:Append`413'tomakeyournewpassword.Enteryournewpassword:Thus,iftheuserproposes\RedEye2,"hisnewpasswordis\RedEye2413."ThisisaverysimplechangetotheUI,andshouldn'trequireanyusertraining.Therequiredtail(\413"inthisexample)israndomlyandfreshlygen-eratedforeachpasswordchangesession.Itcouldevenbebychancethesameasthetailoftheuser'spreviouspassword.(Theloginroutinewillnormallypreventtheuserfromtryingtousehisoldpasswordashisnewpass-word;thesystemmightgenerateanew,dierenttailinthiscase.)Oncethepasswordhasbeendetermined,thesystemcangeneratehoneywordsinsamemanneraschang-by-tail-tweaking.Withtake-a-tailtheheadofthepasswordischosenbytheuser,thusincreasingmemorability,whilethepass-wordtailispickedrandomlytoensurethatthepasswordandhoneywordgenerationprocedureisperfectly at.Ausermighttrytoresetherpasswordrepeatedlytoobtainapreferredtail,underminingthepropertyof at-ness.Mostsystems,however,prohibitfrequentpasswordchanges(topreventusersfromcyclingthroughpasswordsandthusbypassingpoliciesonold-passwordreuse).4.3ComparisonofmethodsOurproposedmethodsforgeneratinghoneywordshavevariousbenetsanddrawbacks,asshowninTable4.3.ThehybridmethodisdescribedinSection5.5.5VariationsandExtensionsWenowconsiderafewotherwaysofgeneratinghoney-wordsandsomepracticaldeploymentconsiderations.5.1\Randompick"honeywordgener-ationWenowpresentamodied-UIprocedurethatisperfectly at.Atahighlevel,agoodwayofgeneratingapass-wordandhoneywordsistorstgeneratethelistWiofkdistinctsweetwordsinsomearbitrarymanner(whichmayinvolveinteractionwiththeuser)andthenpickanelementofthislistuniformlyatrandomtobethenewpassword;theotherelementsbecomehoneywords.Asanexampleofuserinvolvement,wemightjustasktheuserforkpotentialpasswords.Thevaluec(i)issetequaltotheindexof(randomlychosen)passwordpiinthislist.Forexample,theusermaysupplyk=6sweetwords:4Tninersall41&14alli8apicklesin(pi/2)\{1,2,3\}AB12:YZ90andthesystemcouldtheninformtheuserthatpasswordc(i)=6(thelastone)isherpassword.Therandompickmethodisperfectly at,nomatterhowthelistWiofsweetwordswasgenerated,sincethegivenprocedureisequivalenttochoosingc(i)uniformlyatrandomfromf1;2;:::;kgindependentoftheactualsweetwords;thereisthusnoinformationinWithatcanaidindeterminingc(i).Itisprobablyabadidea,however,toasktheuserforksweetwords.Notonlyisthisburdensomeontheuser,buttheusermayrememberandmistakenlyenterasweetwordsuppliedbyherandusedbythesystemasahoneyword.Therandompickapproachisprobablybetterappliedtoasetofksweetwordsgeneratedbyanalgorithmicpass-wordgenerator.5.2Typo-safetyWewouldalsolikeittoberareforalegitimateusertosetoanalarmbyaccidentallyenteringahoneyword.9 Whenstoringoldpasswordsisrequired,however,werecommendstoringtheminaprotectedmodulestronglyisolatedfromthebasicfunctionalityofthecomputersystem|perhapsinaspecialserver.Aweakeralternativehelpfulforachievinglegacycompatabilitymightresideinthecomputersystemitself.Inthiscase,thesetOiofoldpasswordsforuseruishouldbeencrypted,whennotinuse,underauser-specickeyi.WhenthesystemmustaccessOiforapasswordchange,itdecryptsOi.Thekeyishouldnot,ofcourse,bestoredinthecomputersystemitself,butmightbestoredinthehoneychecker,whichreleasesitothecomputersystemonlyaftersuc-cessfulauthenticationbytheuserusingcurrentpass-wordpi.AfterreadingandupdatingOi,thecomputersystemthenre-encryptsitandimmediatelyerasesi.Alternatively,ofcourse,oldpasswordscouldthem-selvesbestoredwithhoneywords.5.4StorageoptimizationSomehoneywordgenerationmethods,suchastweakingandtake-a-tail,canbeoptimizedtoreducetheirstoragetolittlemorethanasinglepasswordhash.Considertail-tweakingwherethetailsaret-digitnumbers.SupposethatT(pi)isofreasonablesize|forexample,witht=2digittailswehavejT(pi)j=100.Letk=jT(p)jandletWi=T(pi)=fwi;1;:::;wi;kg,sortedintoincreasingorderlexicographically.Weselectarandomelementwi;rofT(pi)andstoreH(wi;r)onthecomputersystem.(Wepickthiselementbyselectingtheindexr2f0;1;:::;k�1guniformlyatrandom.)Toverifyaproeredpasswordg,thecomputersystemcomputesthehashofeachsweetwordinT(g);ifoneisfoundequaltoH(wi;r)thenwi;risknown,soWicanbecomputed,ascanthepositionjofginWi.Thehoneycheckeroperatesasusual:Thecomputersystemsendsjtothehoneycheckertocheckwhetherj=c(i).WecanalsohandlecaseswherekjT(pi)j.Todoso,werestrictthesetofsweetwordsWitoasubsetofkpasswordsfromT(pi).SupposeherethatT(pi)issortedintoincreasinglexicographicalorderasabove.ThenwemightchooseWi=fwi;1;:::;wi;kgtobeasetofkcon-secutiveelements(withwraparound)fromT(pi)thatin-cludespi.Randomlyselectingc(i)2f1;:::;kgandset-tingwi;c(i)=piyieldssuchasetWiwithpiinarandomposition.Inthiscasethecomputersystemshouldstorebothwi;1andtheindexofwi;1inthelistT(pi),soitknowsexactlywhattherelevantsegmentofT(pi)is.5.5HybridgenerationmethodsItispossibletocombinethebenetsofdierenthon-eywordgenerationstrategiesbycomposingthemintoa\hybrid"scheme.Asanexample,weshowhowtoconstructahybridlegacy-UIschemethatcombineschang-by-tweaking-digitswithchang-with-a-password-model.Weassumeapassword-compositionpolicythatrequiresatleastonedigit,sothattweakingdigitsisalwayspossible.Hereisasimplehybridscheme:1.Usechang-with-a-password-modelonuser-suppliedpasswordptogenerateasetofa(2)seedsweet-wordsW0,oneofwhichisthepassword.Someseedsmaybe\toughnuts."2.Applychang-by-tweaking-digitstoeachseedsweet-wordinW0togenerateb(2)tweaks(includingtheseedsweetworditself).ThisyieldsafullsetWofk=absweetwords.3.RandomlypermuteW.Letc(i)betheindexofpsuchthatp=wc(i),asusual.Notetheimportanceoftheorderingofsteps1and2.Thealternativeapproachoftweakingrstandthenchang-with-a-password-modelwouldlikelyrevealptoanadversaryasthesoletweakedpassword.Asanexample,supposewehavea=3,b=4,andk=12.ThelistWimightlookasfollows:abacad513snurfle672zinja750abacad941snurfle806zinja802abacad004snurfle772zinja116abacad752snurfle091zinja649Aconvenientchoiceofparametersisa=b=p k.Weassumethischoiceindescribingthepropertiesofthehy-bridscheme;concretely,a=b=10isapossiblechoice,giventhatT(p)10.TodetectaDoS(denialofservice)attackagainstthisscheme(seeSection7.5)wemightdisregardsubmissionofhoneywordsinT(p),andraiseanalarmforallotherk�bhoneywords.DoSattacks,then,areveryunlikelytosucceed.AnadversarythathasstolenFandguessesahoneyword,though,willstillbecaughtwithprobability1�1=a=1�1=p k.(Fora=b=10,thisis90%.)ThestoragecostscanbeoptimizedalongthelinesofSection5.4ifdesired,storingonlyahashes.Table4.3illustrateshowthishybridhoneywordschemeinheritsdesirablecharacteristicsfrombothcomponentmethods.Notethattheschemeis atonlyifboth atness11 isnotverylikelytobegeneratedbyahoneywordgenerator,butisplausiblygeneratedbya(physics-knowledgeable)user.Anadversarymighteasilynoticethispasswordinasetofhoneywords.Inthiscontext,ausermightbewelladvisedeitherto(a)chooseaverystrongpasswordthattheadversarywillnevercrack,or(b)chooseapasswordofthesortthatthehoneywordgeneratormightgenerate.Thatis,don'tpickapasswordthathas\obviousstructure"toahumanofasortthatanautomaticgeneratormightnotuse.Alternatively,ageneratormighttakeasinputaprivate,handcraftedlistofsuchdistinctivepasswordsfor(one-time)useashoneywords;\obviousstructure,"then,wouldn'talwayssignalatruepasswordtoanadversary.Theabovetheoryaboutrelativelikelihoodisincom-plete:itdoesn'ttellanadversarywhattodowhenonlysomeofthesweetwordhashesaresolved,ashappenswhen\toughnuts"areused.7.5Denial-of-serviceWebrie ydiscussdenial-of-service(DoS)attacks|apo-tentialproblemformethodssuchaschang-by-tweakingthatgeneratehoneywordsbypredictablymodifyinguser-suppliedpasswords.(Incontrast,chang-with-a-password-modelandthehybridschemeofSection5.5of-ferstrongDoSresistance.)Theconcernisthatanadversarywhohasnotcompro-misedthepasswordleF,butwhononethelessknowsauser'spassword|e.g.,amalicioususeroranadversarymountingphishingattacks|canfeasiblysubmitoneoftheuser'shoneywords.Forexample,withchang-by-tweaking-digits,witht=2,suchanadversarycanguessavalidhoneywordwithprobability(k�1)=99.AfalseappearanceoftheftofthepasswordleFresults.AnoverlysensitivesystemcanturnsuchhoneywordhitsintoaDoSvulnerability.One(drastic)exampleisapolicythatforcesaglobalpasswordresetinresponsetoasinglehoneywordhit.Conversely,inasysteminad-equatelysensitivetoDoSattacks,anadversarythathasstolenFcanguesspasswordswhilesimulatingaDoSat-tacktoavoidtriggeringastrongresponse.Soapolicyofappropriatelycalibratedresponseisimportant.ReducingthepotencyofDoSattackscanhelp.MitigatingDoSattacksTolimittheimpactofaDoSattacksagainstchang-by-tweaking,onepossibleapproachistoselectarelativelysmallsetofhoneywordsrandomlyfromalargerclassofpossiblesweetwords.Forexample,wemightusetake-a-tailwithathree-digittail(t=3),yieldingjT(pi)j=1000.Settingk=20,then,meansrandomlypickingk�1=19honeywordsfromT(pi).Knowingthecorrectpasswordpionlygivesanad-versary(ormalicioususer)achanceof(k�1)=10000:02ofhittingahoneywordinthiscase,greatlyreducingherabilitytotriggeranalarm.Thevastmajority(98%)ofherattemptswillbepasswordsinT(pi),butnotinWi.7.6MultiplesystemsAsuserscommonlyemploythesamepasswordacrossdif-ferentsystems,anadversarymightseekanadvantageinpasswordguessingbyattackingtwodistinctsystems,sys-temAandsystemB|ormultiplesystems,forthatmat-ter.Weconsidertwosuchformsofattack,an\intersec-tion"attackanda\sweetword-submission"attack.Intersectionattack.Ifauserhasthesamepass-wordbutdistinctsetsofhoneywordsonsystemsAandB,thenanadversarythatcompromisesthetwopasswordleslearnstheuser'spasswordfromtheirintersection.(Ofcourse,withouthoneywords,anattackerlearnsthepasswordbycompromisingeithersystem.)Wewouldaiminsteadthatanintersectionattackagainstsystemsusinghoneywordsoeranadversarynoadvantageinidentify-ingthepasswordoneithersystem.Ourfavoredapproach,inthecasewheremanagementofmultiplesystemsisofconcern,wouldbethetake-a-tailgenerationapproachofSection4.2oneachsystem.Al-thoughthecompromiseofthepassword-hashleFwouldrevealthepassword-headtoanadversary,theuser'ssugarwouldbeindependentlyandrandomlygeneratedoneachsystem.Asignicantadvantageforsystem-chosentailsisthatitbecomesverylikelythattheuser'spasswordwillbedierentondierentsystems,eveniftheuserchoosesthesamepassword-head.Thisshouldincreaseoverallsecu-rity,asuserscannolongerusetheexactsamepasswordoneachsystem.Theburdenonmemoryisincreased,butinourjudg-mentthisincreaseiswellworththecost|toomanysys-temsarecompromisedbyhavinguserpasswordscrackedonothersystems.Notethatthisabilityofensuringthatauserhasdif-ferentpasswordsondierentsystemsisachievedwithoutcoordinationbetweenthesystems|itisastatisticalguar-antee.Anadversarywhodiscoversauser'spasswordonsystemAmaystillbecaughttryingtoaloginwithahoneywordonsystemB.14 Passwordstorageandverication.Therearestrongerapproachesthanhoneywordsforsplittingpassword-relatedsecretsacrossservers.Someproposedandcommercializedmethodsemploydistributedcryptog-raphytoconcealpasswordsfullyintheeventofaserverbreach[11,12,15].Whilesuchmethodsareperferrabletohoneywordswherepractical,theyrequiresubstantialchangestopasswordvericationsystemsand,ideally,client-sidesupportaswell.Honeywordsmaybeseenasasteppingstonetosuchapproaches.Password-authenticatedkey-exchangemethods,suchastheSecureRemotePasswordProtocol(SRP)4,provideanotherapproachtowardsverifyingthataremotepartyknowsacorrectpassword.However,theremotepartymusthaveatrustedcomputertoperformthenecessarymathematicaloperations.Ifsuccessful,bothpartiesendupwiththesamesecretkey,whichtheymayusetoen-cryptand/orauthenticatefurthercommunications.Decoys.Theuseofdecoyresourcestodetectsecuritybreachesisanage-oldpracticeintheintelligencecom-munity.Similarly,honeypotsareastock-in-tradeofcom-putersecurity.Asurveyoftheuseofhoneypotsandrelateddecoysandofpertinenthistoryandtheorymaybefoundin[14].Itisacommonindustrypracticetodaytodeploy\honeytokens,"boguscredentialssuchascreditcardnumbers[38],todetectinformationleakageandde-gradethevalueofstolencredentials.(Honeywordscouldlikewisereducethevalueofstolenpasswords.)Similarly,fabricatedordecoyleshavebeenproposedastrapstodetectintrusion[41]andinsiderattacks[10].Honeywordsalsobearsomeresemblancetoduresscodes,plausible-lookingbutinvalidsecretsthatusersmaysubmittotriggerasilentalarm.5Arelatedideaare\col-lisionful"hashfunctions[2,4];theseyieldhashvalueswithmultiple,feasiblycomputedpre-images,thuscreat-ingambiguityastowhichpre-imageiscorrect.MostcloselyrelatedtoourproposeduseofhoneywordsistheKamou agesystemofBojinovetal.[6].Thesettinginthatworkdiersfromours,though.Kam-ou ageaimstoprotectauser'slistofpasswordsinaclient-sidepasswordmanageragainstmisuseshouldtheuser'sdevice(e.g.,laptoportablet)bestolenorother-wisecompromised.Kamou ageconcealsthecorrectpass-wordlistwithinasetofdecoylists,whichcontainhoney-wordscreatedusingtheschemedescribedinSection4.1.2.Password-consumingserversneednotbeawareofKam- 4http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol5http://en.wikipedia.org/wiki/Duress_codeou agedeployment.(Theauthorsdonote,though,thatserversmightstoresomehoneywordstofacilitatedetec-tionofcompromise.)9OpenProblemsThispaperisjustaninitialstabattheissuessurround-ingtheuseofhoneywordstoprotectpasswordhashles;manyopenquestionsremain,suchas:Howshouldanadversaryactoptimallywhensome\toughnuts"areincludedamongthehoneywords?Whatisthebestwaytoenforcepassword-reusepoli-cies?Canthepasswordmodelsunderlyingcrackingal-gorithms(e.g.,[40])beeasilyadaptedforuseinchang-with-a-password-model?Howeectiveistargetedpasswordguessingindis-tinguishingpasswordsfromhoneywords?Howcanahoneywordsystembestbedesignedtowithstandactiveattacks,e.g.,codemodication,ofthecomputersystem(orthehoneychecker)?Howwellcantargetedattackshelpidentifyusers'passwordsforparticularhoneyword-generationmethods?Howuser-friendlyinpracticeistake-a-tail?10DiscussionandConclusionSomeonewhohasstolenapasswordlecanbrute-forcetosearchforpasswords,evenifhoneywordsareused.However,thebigdierencewhenhoneywordsareusedisthatasuccessfulbrute-forcepasswordbreakdoesnotgivetheadversarycondencethathecanloginsuccess-fullyandundetected.Theuseofanhoneycheckerthusforcesanadversarytoeitherrisklogginginwithalargechanceofcausingthedetectionofthecompromiseofthepassword-hashleF,orelsetoattemptcompromisingthehoneycheckeraswell.Sincethehoneychecker'sinterfaceisextremelysimple,onecanmorereadilysecurethehoneychecker.Theuseofhoneywordsmaybeveryhelpfulinthecur-rentenvironment,andiseasytoimplement.Thefactthatitworksforeveryuseraccountisitsbigadvantageovertherelatedtechniqueofhoneypotaccounts.Onecouldimagineusinganauxiliaryserverinotherwaysinsupportofpassword-basedauthentication.How-ever,thearchitectureproposedhereiscleanandsimple,16 [12]J.Camenisch,A.Lysyanskaya,andG.Neven.Practicalyetuniversallycomposabletwo-serverpassword-authenticatedsecretsharing.InACMCCS,pages525{536,2012.[13]WilliamCheswick.Rethinkingpasswords.Comm.ACM,56(2):40{44,Feb.2013.[14]F.Cohen.Theuseofdeceptiontechniques:Hon-eypotsanddecoys.InH.Bidgoli,editor,HandbookofInformationSecurity,volume3,pages646{655.WileyandSons,2006.[15]EMCCorp.RSADistributedCredentialProtection.http://www.emc.com/security/rsa-distributed-credential-protection.htm,2013.[16]A.Czeskis,M.Dietz,T.Kohno,D.Wallach,andD.Balfanz.Strengtheninguserauthenticationthroughopportunisticcryptographicidentityasser-tions.InACMCCS,pages404{414,2012.[17]DefenseInformationSystemsAgency(DISA)fortheDepartmentofDefense(DoD).Applicationsecurityanddevelopment:Securitytechnicalimplementationguide(STIG),version3release4,28October2011.[18]A.Forget,S.Chiasson,P.C.vanOorschot,andR.Biddle.Improvingtextpasswordsthroughper-suasion.InSOUPS,pages1{12,2008.[19]C.Gaylord.LinkedIn,Last.fm,nowYahoo?don'tignorenewsofapasswordbreach.ChristianScienceMonitor,13July2012.[20]D.Gross.50millioncompromisedinEvernotehack.CNN,4March2013.[21]C.HerleyandP.VanOorschot.Aresearchagendaacknowledgingthepersistenceofpasswords.IEEESecurity&Privacy,10(1):28{36,2012.[22]S.HoushmandandS.Aggarwal.Buildingbetterpasswordsusingprobabilistictechniques.InACSAC,pages109{118,2012.[23]P.G.Kelley,S.Komanduri,M.L.Mazurek,R.Shay,T.Vidas,L.Bauer,N.Christin,L.F.Cranor,andJ.Lopez.Guessagain(andagainandagain):Mea-suringpasswordstrengthbysimulatingpassword-crackingalgorithms.InIEEESymposiumonSecu-rityandPrivacy(SP),pages523{537,2012.[24]O.Kharif.Innovator:RameshKesanupalli'sbiomet-ricpasswordsstoredondevices.BloombergBusiness-week,28March2013.[25]MicrosoftTechNetLibrary.Passwordmustmeetcomplexityrequirements.ReferencedMarch2012athttp://bit.ly/YAsGiZ.[26]R.MorrisandK.Thompson.Passwordsecurity:acasehistory.Commun.ACM,22(11):594{597,November1979.[27]A.NarayananandV.Shmatikov.De-anonymizingsocialnetworks.InIEEESymposiumonSecurityandPrivacy(SP),pages173{187,2009.[28]U.S.HouseofRepresentatives.H.R.624:TheCy-berIntelligenceSharingandProtectionActof2013.113thCong.,2013.[29]B.-A.Parnell.LinkedInadmitssitehack,addspinchofsalttopasswords.TheRegister,7June2012.[30]I.Paul.Update:LinkedInconrmsaccountpass-wordshacked.PCWorld,6June2012.[31]D.Perito,C.Castelluccia,M.A.Kaafar,andP.Manils.Howuniqueandtraceableareuser-names?InPrivacyEnhancingTechnologies,pages1{17,2011.[32]N.Perlroth.HackersinChinaattackedTheTimesforlast4months.NewYorkTimes,pageA1,31January2013.[33]G.B.Purdy.Ahighsecuritylog-inprocedure.Com-mun.ACM,17(8):442{445,August1974.[34]B.Ross,C.Jackson,N.Miyake,D.Boneh,andJ.C.Mitchell.Strongerpasswordauthenticationusingbrowserextensions.InUSENIXSecurity,2005.[35]S.Schechter,A.J.B.Brush,andS.Egelman.It'snosecret.measuringthesecurityandreliabilityofauthentication\secret"questions.InIEEESympo-siumonSecurityandPrivacy(SP),pages375{390,2009.[36]S.Schechter,C.Herley,andM.Mitzenmacher.Pop-ularityiseverything:anewapproachtoprotect-ingpasswordsfromstatistical-guessingattacks.InUSENIXHotSec,pages1{8,2010.[37]E.Spaord.Observationsonreusablepasswordchoices.InUSENIXSecurity,1992.[38]L.Spitzner.Honeytokens:Theotherhoneypot.SymantecSecurityFocus,July2003.[39]T.Wadhwa.Whyyournextphonewillincluden-gerprint,facial,andvoicerecognition.Forbes,29March2013.[40]M.Weir,S.Aggarwal,B.deMedeiros,andB.Glodek.Passwordcrackingusingprobabilisticcontext-freegrammars.InIEEESymposiumonSe-curityandPrivacy(SP),pages162{175,2009.18 [41]J.Yuill,M.Zappe,D.Denning,andF.Feer.Honey-les:deceptivelesforintrusiondetection.InInfor-mationAssuranceWorkshop,pages116{122,2004.[42]Y.Zhang,F.Monrose,andM.K.Reiter.Thesecu-rityofmodernpasswordexpiration:analgorithmicframeworkandempiricalanalysis.InACMCCS,pages176{186,2010.Appendix.Changwithapass-wordmodelThisappendixdescribesasimplewaytogeneratehon-eywords;thismethodisonewaytoimplementchang-with-a-password-model.Itisjustasimpleexampleofsuchaprobabilisticmodel;bettermodelscertainlyexist.ThismethodusesalistLofsamplepasswords.Hon-eywordsarenottakenfromthisle;rather,thislistisusedasanaidtogenerateplausible-lookinghoneywords.Thislistisintendedtolooklikeplausiblepasswordsusersmightgenerate;itisnotintendedtobealistof\high-strength"passwords.Thus,thishoneywordgenerationschemeisqualita-tivelydierentthantheprocessoftweakingapasswordtogenerateanewpassword:itisOKforahoneywordtobemuchweakerthanthetruepasswordinanattempttotricktheadversary.However,itshouldnotbesoweakthathigh-probability(i.e.verycommon)passwordsaregenerated,asthiswouldcauseanonlineguessingattacktohithoneywords.Asimplemodelforgeneratingasinglehon-eyword:ThepasswordlistLisinitializedtoalistofmanythousandsofrealpasswords,aswellassometrulyrandompasswordsofvaryinglengths.A\toughnut"isgeneratedwithsomexedprobability(e.g.8%).Otherwiseahoneywordisgeneratedasfollows.Atar-getlengthdisrstdeterminedbypickingarandompass-wordwfromLandmeasuringitslength.Letthecharactersofthenewpasswordbedenotedc1,c2,...,cd.Thesearedeterminedsequentially.Therstcharacterc1isjusttherstcharacterw1ofw.Letw=w1w2:::;wd.Todeterminethejthcharacterofc,forj=2;3;:::;d:Withprobability0.1,replacewbyarandomlycho-senpasswordinLoflengtht.Thenletcj=wj.Elsewithprobability0.4,replacewbyarandomlychosenpasswordinLoflengthtthathaswj�1=cj�1.Thenletcj=wj.Elsewithprobability0.5,letcj=wj.Ifthehoneywordcisineligible(x6.1),thenbeginagaintogeneratec(excludingthetough-nutoptionthistime).Writeusforpythoncodeimplementingthismodel.19