Skip to main content

The Impact of Exposed Passwords on Honeyword Efficacy

Publication ,  Conference
Huang, Z; Bauer, L; Reiter, MK
Published in: Proceedings of the 33rd USENIX Security Symposium
January 1, 2024

Honeywords are decoy passwords that can be added to a credential database; if a login attempt uses a honeyword, this indicates that the site's credential database has been leaked. In this paper we explore the basic requirements for honeywords to be effective, in a threat model where the attacker knows passwords for the same users at other sites. First, we show that for user-chosen (vs. algorithmically generated, i.e., by a password manager) passwords, existing honeyword-generation algorithms do not simultaneously achieve false-positive and false-negative rates near their ideals of ≈ 0 and ≈ 1/1+n, respectively, in this threat model, where n is the number of honeywords per account. Second, we show that for users leveraging algorithmically generated passwords, state-of-the-art methods for honeyword generation will produce honeywords that are not sufficiently deceptive, yielding many false negatives. Instead, we find that only a honeyword-generation algorithm that uses the same password generator as the user can provide deceptive honeywords in this case. However, when the defender's ability to infer the generator from the (one) account password is less accurate than the attacker's ability to infer the generator from potentially many, this deception can again wane. Taken together, our results provide a cautionary note for the state of honeyword research and pose new challenges to the field.

Duke Scholars

Published In

Proceedings of the 33rd USENIX Security Symposium

Publication Date

January 1, 2024

Start / End Page

559 / 576
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Huang, Z., Bauer, L., & Reiter, M. K. (2024). The Impact of Exposed Passwords on Honeyword Efficacy. In Proceedings of the 33rd USENIX Security Symposium (pp. 559–576).
Huang, Z., L. Bauer, and M. K. Reiter. “The Impact of Exposed Passwords on Honeyword Efficacy.” In Proceedings of the 33rd USENIX Security Symposium, 559–76, 2024.
Huang Z, Bauer L, Reiter MK. The Impact of Exposed Passwords on Honeyword Efficacy. In: Proceedings of the 33rd USENIX Security Symposium. 2024. p. 559–76.
Huang, Z., et al. “The Impact of Exposed Passwords on Honeyword Efficacy.” Proceedings of the 33rd USENIX Security Symposium, 2024, pp. 559–76.
Huang Z, Bauer L, Reiter MK. The Impact of Exposed Passwords on Honeyword Efficacy. Proceedings of the 33rd USENIX Security Symposium. 2024. p. 559–576.

Published In

Proceedings of the 33rd USENIX Security Symposium

Publication Date

January 1, 2024

Start / End Page

559 / 576