Title: Phoney: protecting password hashes with threshold cryptology and honeywords

Authors: Rong Wang; Hao Chen; Jianhua Sun

Addresses: College of Computer Science and Electronic Engineering, Hunan University, Changsha, China ' College of Computer Science and Electronic Engineering, Hunan University, Changsha, China ' College of Computer Science and Electronic Engineering, Hunan University, Changsha, China

Abstract: Password file disclosure has attracted a lot of attention recently. Once password files are stolen, attackers can quickly crack large numbers of passwords. In this paper, we propose Phoney, a system which employs a threshold cryptosystem to encrypt the password hashes in the password file and honeywords to confuse attackers. With the help of Phoney, attackers cannot get any password information easily even they steal the password files. All the password hashes are encrypted by our threshold cryptosystem. Even they are able to compromise the cryptosystem, attackers cannot identify the real password easily because of the false passwords (honeywords) deliberately added for each account to confuse the adversaries. In addition, attempts of submitting a honeyword will cause alarms to be set off. Experiments show that the time and storage cost of Phoney are acceptable, but the cracking search space is increased significantly.

Keywords: authentication; threshold cryptosystems; honeywords; password leaks; password hashes; password file disclosure; password protection; passwords; cryptography; password hash encryption.

DOI: 10.1504/IJES.2016.076108

International Journal of Embedded Systems, 2016 Vol.8 No.2/3, pp.146 - 154

Received: 22 Sep 2014
Accepted: 01 Nov 2014
Published online: 26 Apr 2016 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article