Advancing Honeywords for Real-World Authentication Security

TL;DR

Honeywords have potential for real-world authentication security but require further research on their design, integration, and reliability to become practical deployment solutions.

Contribution

This position paper analyzes current challenges in Honeyword systems and proposes a deployable framework combining resilient decoy creation with easier integration.

Findings

Current Honeyword generation methods face flatness and integration issues.

Attacker modeling and honeychecker architecture have unresolved challenges.

A proposed framework aims to enhance deployability and security.

Abstract

Introduced by Juels and Rivest in 2013, Honeywords, which are decoy passwords stored alongside a real password, appear to be a proactive method to help detect password credentials misuse. However, despite over a decade of research, this technique has not been adopted by major authentication platforms. This position paper argues that the core concept of Honeywords has potential but requires more research on issues such as flatness, integration, and reliability, in order to be a practical deployable solution. This paper examines the current work on Honeyword generation, attacker modeling, and honeychecker architecture, analyzing the subproblems that have been addressed and ongoing issues that prevent this system from being more widely used. The paper then suggests a deployable framework that combines the attacker-resilient, context-aware decoy creation that Honeywords provide with easy integration into existing systems. Honeywords will only move from an academic idea to a practical security tool if technical advances are paired with secure and straightforward architectures, along with adaptive response handling and detailed configuration checks.