Communications of the ACM
Phoney but Real Protection For Passwords
Credit: WonderHowTo
Against a backdrop of rising corporate data breaches, researchers have proposed a new protection system nicknamed Phoney. They describe their work in "Phoney: Protecting Password Hashes with Threshold Cryptology and Honeywords," published in the International Journal of Embedded Systems.
Rong Wang, Hao Chen, and Jianhua of Sun College of Computer Science and Electronic Engineering, Hunan University, Changsha, China, explain that once password files have been stolen, attackers can quickly crack large numbers of passwords. Their "Phoney" system employs a threshold cryptosystem to encrypt the password hashes in the password file, and uses honeywords (false passwords) to confuse attackers. Even if hackers have compromised a database, the phoney honeywords obfuscate and camouflage the genuine passwords. Moreover, if those honeywords are de-hashed and used in a login attempt, the hacked system will know to immediately block the fake user and lock down the account they tried to break into.
Until a secure and safe alternative is found, passwords will remain the simplest and most effective way to login to online systems, such as shopping, banking, and social media sites. Passwords lists stored by the providers can be salted and hashed to make it harder for hackers to decrypt them and users can help themselves by using long, sophisticated passwords. However, the hash used to mask a password database can itself be cracked and breaches happen and data is inevitably compromised. For example, recently 6.5 million logins from a major social networking site were stolen and within a week almost two-thirds of those passwords had been cracked, making a large proportion of the user base vulnerable to further exploitation and compromise of their personal data.
"Phoney is helpful to existing password authentication systems and easy to deploy," the team explains. "It requires no modifications to the client, and just changes how the password is stored on the server, which is invisible to the client." They have carried out tests that show the system's time and storage costs are acceptable.
"Of course, it is impossible for Phoney to guarantee no password leak absolutely in all possible scenarios," the researchers say. But the so-called cracking 'search space,' i.e., the amount of effort a hacker needs to breach the data, is increased significantly.
No entries found