Incentivizing Collaboration for Detection of Credential Database Breaches

TL;DR

This paper proposes an incentivized algorithm for sites to exchange monitoring favors, improving breach detection through collaborative honeyword monitoring, supported by model analysis and real dataset evaluation.

Contribution

It introduces a novel algorithm enabling sites to exchange monitoring efforts, enhancing breach detection capabilities in a collaborative ecosystem.

Findings

Increased monitoring effort for others improves breach detection for a site.

Model-checking analysis quantifies key parameters affecting detection effectiveness.

Algorithm demonstrates effectiveness on a large breached credential dataset.

Abstract

Decoy passwords, or ``honeywords,'' alert a site to its breach if entered in a login attempt on that site. However, an attacker can identify a user-chosen password from among the decoys, without alerting the site to its breach, via credential stuffing, i.e., entering the stolen passwords at another site where a user reused her password. Prior work thus proposed that sites monitor for the entry of their honeywords at other sites, but the incentives for sites to participate in this monitoring remain unclear. In this paper, we propose and evaluate an algorithm by which sites can exchange monitoring favors. Through a model-checking analysis, we show that a site can improve its ability to detect its own breach when it increases the monitoring effort it expends for others. We quantify how key parameters impact detection effectiveness and their implications for deploying a monitoring ecosystem. Finally, we evaluate our algorithm on a breached credential dataset, demonstrating effectiveness at scale.