Zipf’s Law in Passwords

Cheng

Proceedings 2018 Network and Distributed System Security Symposium

et al. 2018

Self Cite

Abstract-Honeywords are decoy passwords associated with each user account, and they contribute a promising approach to detecting password leakage. This approach was first proposed by Juels and Rivest at CCS'13, and has been covered by hundreds of medias and also adopted in various research domains. The idea of honeywords looks deceptively simple, but it is a deep and sophisticated challenge to automatically generate honeywords that are hard to differentiate from real passwords. In JuelsRivest's work, four main honeyword-generation methods are suggested but only justified by heuristic security arguments.In this work, we for the first time develop a series of practical experiments using 10 large-scale datasets, a total of 104 million real-world passwords, to quantitatively evaluate the security that these four methods can provide. Our results reveal that they all fail to provide the expected security: real passwords can be distinguished with a success rate of 29.29%∼32.62% by our basic trawling-guessing attacker, but not the expected 5%, with just one guess (when each user account is associated with 19 honeywords as recommended). This figure reaches 34.21%∼49.02% under the advanced trawling-guessing attackers who make use of various state-of-the-art probabilistic password models. We further evaluate the security of Juels-Rivest's methods under a targeted-guessing attacker who can exploit the victim' personal information, and the results are even more alarming: 56.81%∼67.98%. Overall, our work resolves three open problems in honeyword research, as defined by Juels and Rivest.

Section: A Review Of Juels-rivest's Methodsmentioning

confidence: 99%

Section: B Two Attacking Strategiesmentioning

confidence: 99%

Section: B Two Attacking Strategiesmentioning

confidence: 99%

Section: Experimental Setupsmentioning

confidence: 99%

“…9. Fitting Dodonew passwords by using the CDF-Zipf model [28]. The probability of popular passwords decrease monotonically.…”

Section: Potential Countermeasuresmentioning

confidence: 99%

See 3 more Smart Citations

A Security Analysis of Honeywords

Cheng

Proceedings 2018 Network and Distributed System Security Symposium

et al. 2018

Self Cite

Concurrency and Computation

Provably secure signature‐based anonymous user authentication protocol in an Internet of Things‐enabled intelligent precision agricultural environment

Vangala

Das

Lee

2021

User authentication is a promising security solution in which an external user having his/her mobile device can securely access the real-time information directly from the deployed smart devices in an Internet of Things-enabled intelligent precision agricultural environment. To achieve this goal, we present a new signature-based three factor user authentication scheme. The established session key between a user and the accessed smart device is then used to make secure communication among them to fetch the real-time data of the device. A detailed security analysis including the random-oracle based formal security, formal security verification using the broadly recognized automated validation of internet security protocols and applications tool and nonmathematical informal security analysis show the robustness of the proposed scheme against a number of potential attacks. In addition, testbed experiments are performed for measuring computational time of various cryptographic primitives that are used for comparative study among the proposed scheme and other related existing competing schemes. The detailed comparative analysis shows that the proposed scheme has a better trade-off among its offered security and functionality features, and communication and computational overheads as compared with those for other competing schemes.

Concurrency and Computation

A secure protocol for patient monitoring in wireless body area networks

Tyagi

Kumari

Gupta

et al. 2023

Recently, an authentication scheme was presented for health-care in IoT for WBANs by Fotouhi et al. Authors asserted their scheme to be free from a number of attacks.Here, we find that Fotouhi et al.'s scheme suffers from insider attack, fails to provide proper authentication and bears inefficient password update phase. Therefore their scheme has security pitfalls that can lead to further security breaches. We remove the weaknesses of Fotouhi et al.'s scheme and hence propose a user authentication scheme for patient care. Our scheme is suitable for providing special care to patients in the healthcare industry. The proposed scheme facilitates health professionals to access the real-time data of patients under treatment for some diseases.It also safeguards the medical staff from catching an infection from the patients by minimizing the need to come in direct contact with the patients. We justify the security of our proposed scheme by applying the random oracle model to it. The proposed scheme is compared with some related works to judge its efficacy over the compared counterparts.