Honeywords: Making Passwords-Cracking Detectable Ari Jules, Ronald L. Rivest Presented by: Karthik Padullaparty | kpad470 October 14, Karthik Padullaparty Proceeding CCS '13CCS '13 Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security Pages
Summary Stolen hash files Extended from Honey accounts Honeywords (dummy passwords) for every user Use of Honey Checker for authentication Paper also covers: Honeyword generation Policy choices Potential attacks against this system 2October 14, 2015
Aspect Honeyword generation poses the same threats as passwords, and they are not the most satisfactory approach to authenticate a user My focus – Honeyword generation methods and their limitations Chaffing-with-a-password model Hybrid Generation October 14, 20153
Chaffing with a password model Use of a probabilistic model of real passwords Doesn’t require users password to generate a Honeyword Uses a simple probability model to generate x number of Honeywords October 14, 20154
Hybrid Generation Hybrid generation uses Legacy-UI Combines the strength of Chaffing with a password model and chaffing by tweaking digits “We assume a password composition policy that requires at least one digit, so that tweaking digits is always possible.” Use of dictionary words October 14, 20155
Final Thoughts Gather insights on how passwords are generated Refine cracking algorithms Using multiple systems to log in My thoughts Making passwords realistic Using old passwords October 14, 20156
Questions 7October 14, 2015