Answer To : Please go through the attached file.
Taruna Aggarwal answered on Apr 22 2022
This article proposes a simple way for enhancing password security. Honeywords
are made-up passwords that are connected with each user's account. Honeychecker is an auxiliary server
that can tell the difference between a user's password and honeywords for the login procedure, and will
aise an alert if a honeyword is entered. When an opponent obtains a file of hashed passwords and inverts
the hash algorithm, he has no way of knowing whether he has discovered the password or a honeyword.
An attempt to log in using a honeyword raises an alert. There are numerous methods for addressing the
issue by making the hashed password more difficult and time-consuming, however the problem with this
method is that it slows down the authentication process. Another option is to construct a phoney account
known as a "honeypot account," which may be used to raise an alert when an enemy tries to login, but this
has its own set of drawbacks. The recommended technique is to generate numerous potential passwords
for each account, with only one of them being authentic.
The suggested technique for honeyword generation is detailed in this section. It
essentially presents a number of flat creation techniques, each of which differentiates between two
scenarios: legacy-UI and modified-UI. The password-change UI remains unaltered in legacy-UI
processes, however it is updated in modified-UI procedures to enable for improved password/ honeyword
creation. An adversary will have difficulties detecting the password pi for the user ui among the k
honeywords. A honeyword generating technique Gen(k; pi), also known as the "chaff procedure," creates
a set of k extra different honeywords ("chaff") and sets the password and honeywords in random order in
a list Wi.
Pick a random password from a collection of thousands of genuine passwords
and measure its length to create a honeyword. Then, using a random method of replacing the initial
character of the password with a random number, decide the characters of a new password.
To get the honeywords, the first approach is to adjust selected character places of
the password by replacing the characters in those positions with randomly picked characters of the same
kind. The password tails are refe
ed to as "sugar," while the honeyword tails are refe
ed to as "honey,"
and passwords are tweaked by selecting the final number and the last special-character position.
Our second technique creates honeywords by utilising a probabilistic model of
genuine passwords; this model might be based on a supplied list L of hundreds or millions of passwords,
as well as other factors. Some honeywords that are more difficult to
eak than the ordinary would be
nice. Instead of a totally
oken list, the enemy would be handed a partial list of sweetwords. Including
some difficult nuts among the honeywords may cause the opponent to stop before cracking the remaining
passwords. Tough-nuts generation is the name given to this approach.
Take-a-tail is another approach for honeyword production. By forcing new
passwords to include system-chosen random password tails, the take-a-tail approach solves the issue of
poorly-chosen password tails. We propose using the take-a-tail generation strategy on any system where
password security is critical. Although a
each of the password-hash file F may provide an attacker
access to the password-head, the user's sugar would be created individually and randomly on each
Another honeyword generating approach is known as the random-pick
honeyword generation method. When combined with a list of k sweetwords created by an algorithmic
password generator, the random select technique does not utilise any of the information in the list to assist
the machine in choosing a password. We now show a flat-UI approach that has been modified. The user
may, for example, provide k unique sweetwords, which are subsequently used to construct a password.
id generation process is another option. If any of the flatness criteria
applies, the hy
id honeyword strategy is quite safe. By combining the advantages of multiple honeyword
generating processes into a "hy
id" system, you may get the best of both worlds. For example, chaff may
e used with a password composition policy by changing digits.
If the honeychecker or the computer system's interactions with the honeychecker
are attacked, the computer system may be configured to temporarily promote honeywords as valid
passwords. We can establish per-user rules and employ honeypot accounts to detect and differentiate
etween F theft and DoS attempts. A honeyword generator may provide a password that the enemy will
never be able to guess. Users should select a password that a honeyword generator may produce or that a
physics-savvy user is likely to generate.
On a hardened computer system, it is expected that secret information, such as
salts and other hashing parameters, may be securely stored. When a login attempt is performed, it is also
presumed that this computer system can interact with the computer system. The honeychecker may signal
to the computer system to refuse the login, or it may just transmit a quiet warning to an administrator,
depending on its policies. A rudimentary kind of distributed security is provided by combining a honey-
checker with a computer system. To protect the whole system from being compromised, the
honeychecker database and computer system are separated into distinct administrative domains and run
on different operating systems. Honeywords can be easily integrated into cu
ent password systems with
few system modifications and minimal compute and communication cost. The contact with the user is
illustrated in this manner by permitting a user-supplied password pi in addition to a randomised password
The system alerted the honeychecker of the new value of the index in the user's
password list when user ui updated her password, or set it up when her account was newly created. When
a user inputs one of their honeywords, the system can discern whether the word is the user's password or
one of their honeywords, and then take appropriate action, such as shutting down the system and requiring
new passwords. Somebody asked to be logged in as user ui and gave a sweetword, which was compared
to a list of sweetwords. The honeychecker checks to see whether j = c(i) and then performs the necessary
action based on policy. If a user's password does not appear in the first five components of a random
password list, the account will most likely be locked out and additional inquiry will be conducted.
An algorithm for creating honeywords Gen may be employed in a competitive
game in which the opponent must pass or guess a honeyword. There are three possible outcomes: the
opponent may either guess right or pass. If the value of the adversary's winning probability is greatest, a
honeyword generating process is "flat." The term "approximally flat" refers to the likelihood of winning
eing less than 1/k. If Gen is exactly flat, an attacker has a 5 percent probability of guessing the right
password for a given value of k. In certain circumstances, detecting...