International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 4 - September 2015
Examination of a New Defense Mechanism:Honeywords
Rohit Gujar#1,Rahul Dhumal#2,Shrinath Shelke#3,Pravin Hinge#4,Prof.Prashant Suryavanshi#5
#1234
Student of BE Computer
#5Asst.Prof(Computer Engg)
Savitribai Phule Pune University,
H.S.B.P.V.T.COE, Kashti, Shrigonda 414701, Ahemednagar.
Abstract- The decoy passwords i.e honey words to
detect attacks against hash password database.For
each user account the legitimate password stored in
form of honey words. If attacker Attack on password
i.e honey words it can not be sure it is real password
or honeyword.
It is much easier to crack a password hash
with the advancements in the graphical processing
unit(GPU) technology.Entering with a honeyword to
login will trigger an alarm notifying the administrator
about a password file breach.In this context a paper
for
improving
the
security
of
hashed
passwords.Roughly speaking, they propose an
approach for userauthentication, in which some false
passwords, i.e“honeywords”are added into a
password file, in order todetect impersonation. Their
solution includes an auxiliarysecure server called
“honeychecker” which can distinguisha user’s real
password among her honeywords and immediatelysets
off an alarm whenever a honeyword is used. Inthis
paper, we analyze the security of the proposal,
providesome possible improvements which are easy to
implementand introduce an enhanced model as a
solution to an open
KeywordsAuthentication,Honeywords,login,passwords,Security
user accounts tolure adversaries and detects a
password disclosure, ifany one of the honeyword
passwords get used.
In this paper it can be represented the
honeyword mechanismto detect an adversary who
attempts to login with cracked passwords.Basically,
for each username a setof sweetwords is constructed
such that only one elementis the correct password and
the others are honeywords(decoy passwords). Hence,
when an adversary tries toenter into the system with a
honeyword, an alarm istriggered to notify the
administrator about a passwordleakage.
2.Check:i,j
Server
Honeyche
cker
3.True/False,Alarm
1.User send
login request
To server
4.ACCEPT/REJECT
User
I.INTRODUCTION
The password files is a severe securityproblem that
has affected by users,since leaked passwords make the
users target of many possible cyber-attacks.
In this paper there are two issues that should
be considered to overcome these security
problems:First passwords must be protected by taking
appropriate precautions and storing with their hash
values computed through salting or some other
complex mechanisms. Hence, for an adversary it must
be hard to invert hashesto acquire plaintext passwords.
The second point is that asecure system should detect
whether a password file disclosureincident happened
or not to take appropriate actions.In this study, we
focus on the latter issue and dealwith fake passwords
or accounts as a simple and costeffective solution to
detect compromise of passwords.
Honeyword is one of the methods to identify
occurrenceof a password database breach. In this
approach, theadministrator purposely creates deceit
ISSN: 2231-5381
Fig.1.Login schema of a system using
honeywords
When a user ui sends a login request, the loginserver
will determine the order of her among the users,and
the order of the submitted password among
hersweetwords. The login server sends a message of
theform Check(i, j) to a secure server which is
called“honeychecker”, for the ith user and her jth
sweetword.The honeychecker will determine whether
the submittedword is a password or a honeyword. If a
honeyword issubmitted, then it will raise an alarm or
take an actionthat is previously chosen Figure I. The
honeycheckercannot know anything about the user’s
password orhoneywords. It maintains a single
database that containsonly the order of the true
password among the user’ssweetwords.
In this study, we analyze the honeyword
approachand give some remarks about the security of
the system.Furthermore, we point out that the key item
for thismethod is the generation algorithm of the
http://www.ijettjournal.org
Page 201
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 4 - September 2015
honeywordssuch that they shall be indistinguishable
from the correctpasswords. Therefore, we propose a
new approachthat uses passwords of other users in the
system forhoneyword sets, i.e. realistic honeywords
are provided.
instance,mice3blind is decomposed as 4-letters + 1digit + 5-lettersL4+D1+L5 and replaced with the same
compositionlike gold5rings.
Bond004 james004
004bond 004004
2.HONEYWORDS
Set multiple possible password for each
account, any one of which is genuine.The others we
refer to as “honeywords.The attempted of a
honeywords to login in sets off an alarm,as an
adversarial attack has been reliably detected.Admin
login it require login id which is made up of various
sentence or word in each its last digit is a honeyword
assign key value store into the hash table called
“honeyword”.
2.1.3 Hybrid Method
It consists of combination of chaffing-with-apassword-model and chaffing-by-tweakingdigits.By
using this technique, random password modelwill
yield seeds for tweaking-digits to generate
honeywords.
3.SECURITY ANALYSIS OF
HONEYWORDS

2.1Honeyword Generation Methods
It is catagories into two groups first consists
of the legacy-UI(user interface) procedures and the
second one include modified-UI procedures whose
password-change UI is modified to allow better
password/honeyword generation.
Take-a-tail method is given as example of the
second category. Accordingto this approach a
randomly selected tail is produced forthe user to
append this suffix to her entered password and the
result becomes her new password. For instance,let a
user enter password games01, and then system
letpropose ’413’ as a tail. So the password of the user
nowbecomes games01413.
2.1.1 Chaffing-by-tweaking
In this method, the user password seeds the
generator algorithmwhich tweaks selected character
positions of thereal password to produce the
honeywords. For instance,each character of a user
password in predeterminedpositions is replaced by a
randomly chosen characterof the same type: digits are
replaced by digits, lettersby letters, and special
characters by special characters.Number of positions
to be tweaked, denoted as t should depend on system
policy.
2.1.2 Chaffing-with-a-password-model
In this approach, the generator algorithm
takes the passwordfrom the user and relying on a
probabilistic model
of real passwords it produces the honeywords.The
authors give the model of as an example for
thismethod named as the modeling syntax. In this
model,the password is splitted into character sets. For
ISSN: 2231-5381
Attack Model\
Brute-force attack
Guessing attack
Network monitoring
Phishing attack
Malwares
Visible passwords
1] Brute-force attack - An adversary can steal
thepassword hash file and crack the hashes using
bruteforce computation.He may also use a
precomputeddictionary of password hashes
2] Guessing attack - Many users choose weak
passwordssuch that an adversary can find out
thepasswords of some users of a system by
tryingcommon passwords while attempting to login to
thatsystem.Spafford suggest good passwordchoice
should avoid common words and names.
3]
Network monitoring - If the communication
between
the user and the system is unsecured, i.e.unencrypted,
an adversary may monitor the networktraffic and
obtain the passwords or interrupt the trafficwhile a
user creating her password and changeit to another
one [12]. This attack is also called man-in-the-middleattack
1.user sends login
record,
Request
request
User
2.Adversary may
modify,login
Adversary
Server
4.User sees what\ adversary sends. 5.Adv gets critical
info
Fig .2. Communication over an unsecured channel
http://www.ijettjournal.org
Page 202
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 4 - September 2015
4] Phishing attack - A user can submit her
logininformation to a web page prepared by an
adversarywhich seems very likely to the original
system’slogin screen.
5] Malwares - A Trojan program can capture the
keystrokes and send this information to the
adversaryThere are some advanced malwares that
cansteal the login information from messenger
likesoftwares some of which does not keep the
logininformation encrypted.
4.A NEW APPROACH
Our proposed model is still based on use of
honeywordsto detect password-cracking. However,
instead of generatingthe honeywords and storing them
in the passwordfile, we suggest to benefit from
existing passwords tosimulate honeywords.In order to
achieve this,for eachexisting password indexes,which
we call honeyindexes,are randomly assigned to a
newly created account, Moreover, a random
indexnumber is given to this account and hash of the
correctpassword is kept with the correct index in a list.
.It is equivalent to say that to
createuncertainty about the correct password, we
propose touse indexes that map to valid passwords in
the system.The contribution of our approach is
twofold. First, thismethod requires less storage
compared to the originalstudy. Second, in the previous
sections we argue thateffectiveness of the honeyword
system directly dependson how Gen() flatness is
provided and how it is closeto human behavior in
choosing passwords. Within our
approach passwords of other users are used as thefake
passwords, so guess of which password is fakeand
which is correct becomes more complicated for
anadversary.
4.1 Initilization
Firstly, T fake user accounts (honeypots) are
created
with their passwords.
TABLE1
Notation
H() Cryptographic hash function used to compute hash of the
passwords
Ui
Username for the ith user.
Pi
Password of the ith user
Wi
List of potential passwords for ui
Vi,j
Hash value of jth element of Wi
Vi
List of hash values for ui, Vi = (vi,1,vi,2…… vi,k)
k
Number of elements in Wi
ci
Index of the correct password in list Wi
Gen(k) Procedure used to generate Wi of length k of sweetwords
sweetword: Each element of Wi
sugarword: Correct password in Wi
honeyword: Each fake password of Wi
ISSN: 2231-5381
Also an index value between [1;N], but not used
previously is assigned to each honeypot randomly.
Then k =1 numbers are randomly selected from the
index list and for each account a honeyindex set is
built like Xi =(xi,1,xi,2,xi;k); one of the elements in
Xi is the correctindex (sugarindex) as ci. Now, we use
two passwordfiles as F1 and F2 in the main server: F1
stores usernameand honeyindex set, < hui,Xi >,where
hui denotes a honeypot account. Note that eachentry
has two elements. The first one is the usernameof the
account and the second element is honeyindexset for
the respective account. Also, the table is
sortedalphabetically by the username field. On the
other hand,F2 keeps the index number and the
corresponding hash of the password, < ci;H(pi) >, as
depicted in Table 3.In this case, each entry in the table
has two elements.
The first element is the sugarindex of the
account and thesecond one is the hash of the
corresponding password.Notice that the table is sorted
according to the indexvalues. Let SI denote the index
column and SH represent the corresponding password
hash column of F2. Thenthe function f(ci) that gives
password hash value in SH
User name
Rahul
Rohit
Shree
:
:
Pravin23
Prashant_m
Honeyindex Set
(23,2351,…….,6475)
(51432,15432,…….,88429)
(3,62107,……..,91233)
:
:
(1007,23471,……,47662)
(63,51234,……,72382)
TABLE 2
Example Password File F1 for the Proposed Model
SI
3
8
58
:
:
SH
H(p3)
H(p8)
H(p58)
:
:
10000
10003
H(p1000)
H(p10003)
TABLE 3
Example Password File F2 for the Proposed
Model
for the index value ci can be defined as: f(ci) = {H(pi)
toSH :< ci,H(pi) > stored pair of ui and ci to SI}.
Inorder to make points clear, the initialization process
isshown within the following example.
Example
1.Suppose
that
a
honeypot
username/password
pair is generated like <john,master2015> by
thesystem. Then an index number is randomly
selected, forinstance 1005, and assigned as the correct
http://www.ijettjournal.org
Page 203
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 4 - September 2015
index of thisaccount. Now F2 file is updated
according to this informationas shown below:
Index No Hash of Password
:
:
1005
:
:
H(master 2015)
Then, k =1 numbers are randomly chosen from SI of
F2 and
combined with correct index 1005 in a random
manner to
produce the index group. For instance, if k = 5, such a
group
(42,32104,1005,4201,34008) may be generated. In
this case
F1 file is seen as below:
Username Honeyindex Set
:
:
:
:
John
(42,32104,1005,4201,34008)
:
:
:
4.2 Registration
:
After the initialization process, system is ready for
user
registration. In this phase, a legacy-UI is preferred, i.e.
a username and password are required from the user
as ui,pi to register the system. We use the honeyindex
generator algorithm Gen(k,SI ) -> ci,Xi, which outputs
ci as the correct index for ui and the honeyindexes
Xi = (xi,1,xi,2…….xi,k).
4.4 Login Process
System firstly checks whether entered password, g,
iscorrect for the corresponding username ui. To
accomplishthis, firstly the Xi of the corresponding ui
is attained from the F1 file. Then, the hash values
stored inF2 file for the respective indices in Xi are
compared withH(g) to find a match. If a match is not
obtained, thenit means that g is neither the correct
password, nor oneof the honeywords, i.e. login fails.
On the other hand,if H(g) is found in the list, then the
main server checkswhether the account is a honeypot.
5.SECURITY ANALYSIS OF THE PROPOSED
MODEL
In this section, we investigate the security of the
proposed
model against some possible attack scenarios.Before,
however, we elaborate on the attack strategies,we will
first state a set of reasonable assumptions aboutour
approach and the related security policies. We
supposethat the adversary can invert most or many of
thepassword hashes in file F2. Notice that the
introductionof this scheme comes with a DoS attack
sensitivity inwhich an adversary deliberately tries to
login with honeywordsto trigger a false alarm. Hence,
the suggestedpolicies given below mostly focuses on
minimizing theDoS vulnerabilities.
when a user loginswith a wrong password,
but not a honeyword, thelogin fails. If this
wrong password is the passwordof another
account in the system and the sameuser hits
this situation more than once (trying
withother passwords in F2), the system
should turn onadditional logging of the user’s
activities to detect a possible DoS attack and
to attribute the adversary,besides the
incorrect login attempt case proceeds asusual.
4.3 Honeychecker
In our approach, the auxiliary service honeychecker is
employed to store correct indexes for each account
and
we assume that it communicates with the main server
through a secure channel in an authenticated manner.
The honeychecker executes two commands sent by
the main server:
Set: ci,ui
Sets correct password index ci for the user ui.
Check: ui,j
Checks whether ci for ui is equal to given j.
Returns the result and if equality does not
hold, notifies system a honeyword situation.
Thus, the honeychecker only knows the correct index
for a username, but not the password or hash of the
password.
ISSN: 2231-5381
If a password, whose hash value is in the SH
of the F2, is entered in wrong login attempts
for more than once, the system should take
actions against a possible DoS alarm. In this
case the system suspects about the respective
password such that it is known by the
adversary and she aims to raise a honeyword
situation. Resultantly, the consecutive wrong
login attempts with this password gives rise
to a DoS warning and further activities of the
user are investigated by the admin as a
precaution to prevent a false honeyword
alarm. Note that these attempts may be done
with a single username or with different
usernames.
In order to increase the number of unique
passwordsin the system, i.e. reduce common
passwords,users should be forced to adhere
to a passwordcompositionpolicy like basic8
http://www.ijettjournal.org
Page 204
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 4 - September 2015
(8 or more characters),comprehensive8 (at
least 8 characters, includingan uppercase and
lowercase letter, a symbol,and a digit and not
contain a dictionary word),basic16 (16 or
more characters) in the password creation.
The main reason behind this item isto
minimize the number of common passwords
in the system,if the numberof common
password increases, the chance of
anadversary realizing a DoS attack also
increases.
A username should not be correlated with its
password,the contribution of the honeywords
for an account,that has a correlated username
password pair, willbe weakened. Although
fulfilling this item is noteasy, some obvious
vulnerable cases can be automaticallyrejected
by the system by developing custom policy,
e.g.
the
password
string
involves
theusername as a suffix or prefix are not
accepted as a
pasword.
user will benegligibly low. Although, an adversary
may hit a realpassword using a common password in
the system, itis not necessarily a honeyword for the
correspondingaccount. Thus, use of real passwords as
honeywordsdoes not cause a DoS weakness.
6.3 Flatness
It demonstrates that the chaffing-withtweakingmodelmay leave traces to an adversary in
distinguishingthe genuine password from the
honeywords,the producedhoneywords may seem like
user passwords from theperspective of the
adversary.Success of the method inflatness depends
on how password-model is constructed,for instance
the
modeling
syntax
yields
honeywords
dependingcomposition of the user password, thereby
aperfect user like behaviour cannot be provided. On
theother hand, the simple model described in the
studymay satisfy the distribution of honeywords like
userpasswords by using a list of real passwords. For
ourproposed model as described previously passwords
ofother users become honeywords for a user.
Method
To avoid occurrence of a high number of
common passwords in the system, the user
should be driven to choose another password
when the created password is in the list of
1000 most common passwords. Hence,
chance of a possible DoS attack described
below will be reduced.
6.COMPARISON OF HONEYWORD
GENERATION MDELS
In this section consists of storage cost, dos
resistance, flatness, and usability to achieve target
goal.
6.1 Storage Cost
A typical passwordfile system requires hN
plus storage for usernames,where N stands for the
number of users in the systemand h denotes length of
password hash in bytes.On the other hand this is
khN,where k denotes the number of the sweetwords
assigned to each account.Notice that we ignored the
storage cost stemmed from usernames, since it is not
changed after adaptation of the honeywords.
6.2 Dos Resistance
In this we show that the chaffing-withtweakingmodelmay suffer from a DoS attack, due to
predictabilityof the honeywords. Unlikely, the
chaffing-with-a-passwordmodelprovides
resistance
against such an attack, becausehoneywords are
generated by using a list of passwords such that they
may be independent from the correctpassword
adaptation of a strong password compositionpolicy
likely prevents occurrence of common passwordsin
high numbers, i.e. probability of a common
passwordis assigned as a honeyword for a specific
ISSN: 2231-5381
Tweaking
Passwordmodel
Dos
Resistance
weak
strong
Flatness
weak
strong
Storage
Cost
hN*
khN
6.4 Usability
In this part, we compare our approach with
the simplemodel in terms of practicality and ease of
use. Byconsidering the simple model whose password
listis constructed with composition of numerous
realpasswords and randomly generated passwords, one
canargue about how the real password source is
provided.If the same resource of real passwords is
used indifferent sites, similar inherited weaknesses
related tohoneyword generation may be observed. By
weak DoS resistance we mean an adversarywho
knows the password can hit the one of
correspondinghoneywords with a non-negligible
chance; while bystrong we mean that this chance is
ignorably small.
7.CONCLUSION
In this study, we have analyzed the security of
thehoneyword system and addressed a number of
flawsthat need to be handled before successful
realization ofthe scheme. In this respect, we have
pointed out that thestrength of the honeyword system
directly depends onthe generation algorithm, i.e.
flatness of the generatoralgorithm determines the
chance of distinguishing the correct password out of
respective sweetwords.
Anotherpoint that we would like to stress is
that defined reactionpolicies in case of a honeyword
entrance can beexploited by an adversary to realize a
http://www.ijettjournal.org
Page 205
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 4 - September 2015
DoS attack. Thiswill be a serious threat if the chance
of an adversary inhitting a honeyword given the
respective password isnot negligible. To combat such
a problem, also knownas DoS resistance, low
probability of such an eventmust be guaranteed.
This
can
be
achieved
by
employingunpredictable honeywords or altering
system policy tominimize this risk. Hence, we have
noted that the securitypolicy should strike a balance
between DoS vulnerabilityand effectiveness of
honeywords.
In the future, we would like to refine our
model byinvolving hybrid generation algorithms to
also make thetotal hash inversion process harder for
an adversary ingetting the passwords in plaintext form
from a leakedpassword hash file. Hence, by
developing such methodsboth of two security
objectives – increasing the totaleffort in recovering
plaintext passwords from the hashedlists and detecting
the password disclosure – can beprovided at the same
time.
[14] D. Florencio and C. Herley, “A Large-scale Study of Web
Password Habits,” in Proceedings of the 16th international
conference on World Wide Web. ACM Press, 2007, pp. 657–666.
[15] A. Pathak, “An Analysis of Various Tools, Methods and
Systems
to Generate Fake Accounts for Social Media,” Ph.D. dissertation,
Northeastern University Boston, 2014.
[16] D. Nagamalai, B. C. Dhinakaran, and J. K. Lee, “An In-depth
Analysis of Spam and Spammers,” arXiv preprint arXiv:1012.1665,
2010.
[17] C. Biever, “Project Honeypot to Trap Spammers,” New
scientist,
no. 2485, p. 26, 2005.
REFERENCES
[1]Mathew L.Bringer , Christopher A. Chelmecki , Hiroshi Fujinoki
“A Survey:Recent Advances and Future Trends in Honeypot
Research” I.J. Computer Network and Information Security,2012.
[2]Gary Kelly,Diane Gan “Analysis of Attacks Using a Honeypot”
Springer-VerlagBerlinHeidelberg,2011.
[3] Deniz Akkaya-Fabien Thalgott “Honeypots in network securityA
Thesis”
LinnaeusUniversity.
[4] Spitzner, Lance. “Honeypots: Definitions and Value of
Honeypots”, May 2003, accessed: November 2012, URL:
http://www.trackinghackers. com/papers/honeypots.html.
[5]John P.John, Fang Yu, yinglian Xie, Arvind Krishnamurthy.
Martin Abadi “Heat-seeking Design and Experience” International
World Wide Web Conference Committee.2011.
[6] Feng zha g.Shiiie Zhou,Zinguang Oin Jinde Liu “A
supplemented active defense system for Honeypot network security”
IEEE.2003.
[7]Newsome J, Karp B, Song D. "Polygraph : Automatically
GeneratingSignatures for Polymorphic Worms." IEEE Symposium
on
Securityand
Privacy.
2005.
pp
226-241.
[8]Zhichun Li, Manan Sanghi, Yan Chen, Ming Yang Kao, Chavez
B."Hamsa : Fast Signature Generation for Zero Day
PolymorphicWorms with Provable Attach Resilience." IEEE
Symposium
onSecurity
and
Privacy.2006.pp15-47.
[9]Bimal Kumar Mishra and Dinesh Kumar Saini,”SEIRS epidemics
model with delay for transmission of malicious objects in computer
network”,Applied
Mathematics
and
Computation,Elsevier,188(2007).
[10]R.T. Goswami ,Avijit Mondal,Bimal Kumar Mishra and N.C.
Mahanti “Defending Polymorphic Worms in Computer Network
using Honeypot”International Journal of Advanced Computer
Science and Applications,Vol.3,No.10,2012
[11]P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas,
L. Bauer, N. Christin, L. F. Cranor, and J. Lopez, “Guess again
(and
gain and again): Measuring Password Strength by Simulating
Password-cracking Algorithms,” in Security and Privacy (SP), 2012
IEEE Symposium on. IEEE, 2012, pp. 523–537.
[12] J. Bonneau and S. Preibusch, “The Password Thicket:
Technical
and Market Failures in Human Authentication on the Web,” in
WEIS, 2010.
[13] G. Notoatmodjo and C. Thomborson, “Passwords and
Perceptions,”in Proceedings of the Seventh Australasian
Conference on Information Security–AISC 2009. Australian
Computer Society,
Inc., 2009, pp. 71–78.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 206