Authors: Rong Wang; Hao Chen; Jianhua Sun
Addresses: College of Computer Science and Electronic Engineering, Hunan University, Changsha, China ' College of Computer Science and Electronic Engineering, Hunan University, Changsha, China ' College of Computer Science and Electronic Engineering, Hunan University, Changsha, China
Abstract: Password file disclosure has attracted a lot of attention recently. Once password files are stolen, attackers can quickly crack large numbers of passwords. In this paper, we propose Phoney, a system which employs a threshold cryptosystem to encrypt the password hashes in the password file and honeywords to confuse attackers. With the help of Phoney, attackers cannot get any password information easily even they steal the password files. All the password hashes are encrypted by our threshold cryptosystem. Even they are able to compromise the cryptosystem, attackers cannot identify the real password easily because of the false passwords (honeywords) deliberately added for each account to confuse the adversaries. In addition, attempts of submitting a honeyword will cause alarms to be set off. Experiments show that the time and storage cost of Phoney are acceptable, but the cracking search space is increased significantly.
Keywords: authentication; threshold cryptosystems; honeywords; password leaks; password hashes; password file disclosure; password protection; passwords; cryptography; password hash encryption.
International Journal of Embedded Systems, 2016 Vol.8 No.2/3, pp.146 - 154
Available online: 26 Apr 2016Full-text access for editors Access for subscribers Purchase this article Comment on this article