The Impact of Exposed Passwords on Honeyword Efficacy

TL;DR

This paper investigates the effectiveness of honeywords in detecting credential leaks, revealing limitations of existing algorithms especially for user-chosen passwords, and highlighting the need for improved generation methods.

Contribution

It identifies the shortcomings of current honeyword-generation algorithms under realistic threat models and proposes that using the same password generator as the user can improve deception.

Findings

Existing algorithms fail to achieve ideal false-positive and false-negative rates for user-chosen passwords.

State-of-the-art methods produce honeywords that are not sufficiently deceptive for algorithmically generated passwords.

Using the same password generator as the user can enhance honeyword deception, but effectiveness depends on the defender's inference accuracy.

Abstract

Honeywords are decoy passwords that can be added to a credential database; if a login attempt uses a honeyword, this indicates that the site's credential database has been leaked. In this paper we explore the basic requirements for honeywords to be effective, in a threat model where the attacker knows passwords for the same users at other sites. First, we show that for user-chosen (vs. algorithmically generated, i.e., by a password manager) passwords, existing honeyword-generation algorithms do not simultaneously achieve false-positive and false-negative rates near their ideals of $\approx 0$ and $\approx \frac{1}{1+n}$, respectively, in this threat model, where $n$ is the number of honeywords per account. Second, we show that for users leveraging algorithmically generated passwords, state-of-the-art methods for honeyword generation will produce honeywords that are not sufficiently deceptive, yielding many false negatives. Instead, we find that only a honeyword-generation algorithm that uses the \textit{same} password generator as the user can provide deceptive honeywords in this case. However, when the defender's ability to infer the generator from the (one) account password is less accurate than the attacker's ability to infer the generator from potentially many, this deception can again wane. Taken together, our results provide a cautionary note for the state of honeyword research and pose new challenges to the field.