Interactive demonstration of the honeywords system described in paper.
Juels and R. Rivest. "Honeywords: Making password-cracking detectable." In ACM SIGSAC conference on Computer & communications security, 2013
All users have multiple possible passwords for each account, only one of which is genuine, the others are called honeywords.
Several algorithms (methods) for honeywords generation are mentioned in the paper.
- Tweaking: Tweak the selected character positions in the password to obtain honeywords.
- Password-model: Generates honeywords using a probabilistic model of real passwords.
- Tough nuts: Honeywords list contains several tough nuts. (hashed passwords that the adversary is unable to crack)
- Take-a-tail: Append random digits to the user-proposed password.
- Hybrid: The combination of password-model and tweaking methods.
An auxiliary server that can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
It is a separated system where secret information is stored. The secret information is composed of user index and the
corresponding real password index (per user).
Communicate with the honeychecker by using command set and check.
-
honeychecker set
-
honeychecker check
sugarwordcorrect user password.honeywordfalse password, acting as a honeypot.sweetwordscontaining one sugarword + (k-1) honeywords.shadowfilehashed password file.table_ctable in honeychecker where secret information stored, including user index and corresponding correct password index.flatnessthe adversary’s expected probability of guessing the right password.
python3 server.py
or
py server.py
modify the log level in logging line in server.py
logging.basicConfig(format="%(levelname)s: %(message)s", level=logging.DEBUG)
modify the params in function chpwd in server.py
gen.legacy_UI(params=...)