Honeywords provide additional password security
Corporate data breaches seem to be on the rise, rarely a week passes without a company revealing that its database has been hacked and regrettably usernames, passwords, credit card details and its customers’ personal information has been leaked on to the open internet. A new protection, nicknamed Phoney, is reported in the International Journal of Embedded Systems.
Rong Wang, Hao Chen and Jianhua of Sun College of Computer Science and Electronic Engineering, Hunan University, Changsha, China, explain that once password files have been stolen, attackers can quickly crack large numbers of passwords. With their “Phoney” system which employs a threshold cryptosystem to encrypt the password hashes in the password file and honeywords to confuse attackers, even if the hackers have comprised a database, the phoney, honeywords, obfuscate and camouflage the genuine passwords. Moreover, if those honeywords are de-hashed and used in a login attempt, the hacked system will know to immediately block the fake user and lock down the account they tried to break into.
Until a secure and safe alternative is found, passwords will remain the simplest and most effective way to login to online systems, such as shopping, banking and social media sites. Passwords lists stored by the providers can be salted and hashed to make it harder for hackers to decrypt them and users can help themselves by using long, sophisticated passwords. However, the hash used to mask a password database can itself be cracked and breaches happen and data is inevitably compromised. For example, recently 6.5 million logins from a major social networking site were stolen and within a week almost two-thirds of those passwords had been cracked making a large proportion of the user base vulnerable to further exploitation and compromise of their personal data.
The team explains that, “Phoney is helpful to existing password authentication systems and easy to deploy. It requires no modifications to the client, and just changes how the password is stored on the server, which is invisible to the client.” They have carried out tests and show that the time and storage costs are acceptable. “Of course, it is impossible for Phoney to guarantee no password leak absolutely in all possible scenarios,” they say. But the so-called cracking ‘search space’, in other words the amount of effort a hacker needs to breach the data is increased significantly.
Learn more: Phoney protection for passwords
The Latest on: Cryptosystem
via Google News
The Latest on: Cryptosystem
- Cryptosystem attacks that do not involve obtaining the decryption key on April 5, 2018 at 11:28 pm
Is there an attack that can be launched against a cryptosystem that does not involve trying to obtain the decryption key? Aside from a brute-force attack, the only one that I know of is the power atta... […]
- How secure is today's encryption against quantum computers? on October 13, 2017 at 9:29 am
Quantum computers with many qubits are theoretically capable of ... judiciously configured and carefully integrated, will result in a cryptosystem that will be secure today and in decades’ time. This ... […]
- Token-Curated Registries 1.0 on September 14, 2017 at 9:08 am
In this document we will provide a more formal but less-than-mathematical view of token-curated registries. This document is versioned 1.0 because the cryptosystem and incentive game described here ca... […]
- Even with the advent of quantum computers, the RSA cryptosystem may not be broken on May 22, 2017 at 1:00 am
Quantum computerThe possibility of breaking through the RSA cryptosystem that is currently popular, there is a possibility that the crisis of cryptographic system is being screamed. However, a researc... […]
- Security Innovation Makes NTRUEncrypt Patent-Free on March 28, 2017 at 5:05 am
The NTRU “trapdoor” – NTRUEncrypt cryptosystem’s core hard mathematical problem– has been a fertile source of inspiration to other cryptographers with uses ranging from some fully homomorphic encrypti... […]
- Why Algebraic Eraser may be the riskiest cryptosystem you’ve never heard of on November 17, 2015 at 8:40 am
A potential standard for securing network-connected pacemakers, automobiles, and other lightweight devices has suffered a potentially game-over setback after researchers developed a practical attack t... […]
- Encryption today: how safe is it really? on March 22, 2015 at 6:11 pm
This is illustrated by the story of the Enigma cryptosystem used by the German military during the Second World War, as dramatised most recently in the movie The Imitation Game. Enigma’s relatively co... […]
- DeTron Introduces Its QDK Cryptosystem To Enable “True Trusted Identity For The Cloud Era” on September 26, 2012 at 11:34 am
Using its own proprietary cryptography algorithms and a chip that will soon arrive in consumer electronics devices, DeTron Inc. wants to become the first company to “meet the evolving global demands f... […]
- Securing Databases with Cryptography on November 22, 2005 at 4:00 pm
People new to cryptography often dismiss known-plaintext attacks as ... for "Kenan," placing a false order with that information would be suffucient. Unless the cryptosystem is designed carefully, the ... […]
via Bing News