Interactive demonstration of the honeywords system described in paper.
Juels and R. Rivest. "Honeywords: Making password-cracking detectable." In ACM SIGSAC conference on Computer & communications security, 2013
All users have multiple possible passwords for each account, only one of which is genuine, the others are called honeywords.
Several algorithms (methods) for honeywords generation are mentioned in the paper.
- Tweaking: Tweak the selected character positions in the password to obtain honeywords.
- Password-model: Generates honeywords using a probabilistic model of real passwords.
- Tough nuts: Honeywords list contains several tough nuts. (hashed passwords that the adversary is unable to crack)
- Take-a-tail: Append random digits to the user-proposed password.
- Hybrid: The combination of password-model and tweaking methods.
An auxiliary server that can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
It is a separated system where secret information is stored. The secret information is composed of user index and the
corresponding real password index (per user).
Communicate with the honeychecker by using command set
and check
.
sugarword
correct user password.honeyword
false password, acting as a honeypot.sweetwords
containing one sugarword + (k-1) honeywords.shadowfile
hashed password file.table_c
table in honeychecker where secret information stored, including user index and corresponding correct password index.flatness
the adversary’s expected probability of guessing the right password.
python3 server.py
or
py server.py
modify the log level
in logging line in server.py
logging.basicConfig(format="%(levelname)s: %(message)s", level=logging.DEBUG)
modify the params in function chpwd
in server.py
gen.legacy_UI(params=...)