Achieving Flatness: Selecting Honeywords From Existing User Passwords

1
Ankit Bhanushali 2Atish chavan, 3Sandip maurya

the system administrator if a login attempt is done with

a honey word by the adversary. We use the notations
1 2 and de nitions
ankitb458@gmail.com, atishchavan121@gmail.com to simplify the description of the honey
, 3 sandeepmaurya1233@gmail.com
word scheme
In this respect, there are two issues that should be
considered to overcome these security problems: First,
Abstract- Abstract : Each user account the passwords must be protected by taking appropriate
legitimate password is stored with several precautions and storing with their hash values
honey words in order to sense impersonation. computed through salting or some other complex
If honey words are selected properly, a cyber mechanisms [3]. Hence, for an adversary it must be
attacker who steals a le of hashed passwords hard to invert hashes to acquire plaintext passwords.
cannot be sure if it is the real password or a The second point is that a secure system should detect
honey word for any account. Moreover, whether a password le disclosure in-cident happened
entering with a honey word to login will or not to take appropriate actions [1]. In this study, we
trigger an alarm notifying the administrator focus on the latter issue and deal with fake pass-words
about a password le breach. The simple but or accounts as a simple and cost effective solution to
clever idea behind this system is insertion of detect compromise of passwords. Honeypot is one of
false passwords called as honeywords the methods to identify occurrence of a password
associated with each users account. In this database breach. In this approach, the administrator
system scrutinize the honey word system and purposely creates deceit user accounts to lure
present some remarks to highlight possible adversaries and detects a password disclosure, if any
weak points an any attacker who’s able to one of the honey pot passwords get used [6].
steal a copy of a password database wont To design the secure environment using honeywords, it
know if the information it contains is real or overcome password-crack detection problem and
fake. security policies should reduce the cyber-attacks. This
system selects the honeyword from existing password
of the user and reduce the storage cost of the
honeyword scheme [5].
Keywords: Authentication, honeypot,
honeywords, login, passwords, pass-word
cracking.
. II. LITERATURE SURVEY
This idea has been modified by C.Herley and
D.Florencio[7] to protect online banking accounts from
password brute-force attacks. According to the study,
for
I. INTRODUCTION , for each user incorrect login attempts with
some passwords lead to honeypot accounts,
Basically, a simple but clever idea behind the study is i.e. malicious behavior is recognized. For
the insertion of false passwords called as honey words instance, there are 108 possibilities for a 8-
associated with each users account digit password and let system links 10000
[1]. When an adversary gets the password list, she wrong password to honeypot accounts, so the
recovers many password candidates for each account adversary performing the brute-force attack
and she cannot be sure about which word is genuine. 10000 times more likely to hit a honeypot
Hence, the cracked password les can be detected by account than the genuine account. Use of
 Achieving Flatness: Selecting Honeywords From Existing User Passwords
decoys for building theft-resistant was
introduced by Bojinov et al. in called as
Kamouflage. . In this model, the fake
password sets are stored with the real user
password set to conceal the real passwords,
thereby forcing an adversary to carry out a
considerable amount of online work before
getting the correct information. Recently,
Juels and Rivest have presented the
honeyword mechanism to detect an adversary
who attempts to login with cracked
passwords.
C. A Large-Scale Study of Web
Password Habits
This paper describes the study of password
used and password reused habits. They
measured average number of passwords and
average number of accounts each user has, as
well as measured number of times user enters
pass-word per day. They calculated this data
and estimated password strength, password
vary by site and number of times user
forgotten password. In their findings, it
showed users choose weak password; they
measured exactly how weak. They measured
number of distinct passwords used by a client
vs. age of client in days also, number of sites
per password vs. age of client in days. They
also analyzed password strength.
We are able to estimate the number of
accounts that users maintain the number of
passwords they type per day, and the percent
of phishing victims in the overall population
[3][4].
E. Examination of a New Defense
Mechanism: Honeywords Examination of a
New Defense Mechanism: Honeywords
This paper describes hash passwords are used
to improve security. For user authentication
false passwords are added in hashed password
i.e.honeywords. They analyzed the
honeyword system according to both
functionality and the security perspective.
They also elaborated how the system will
respond to six password related attacks.
Improvements for honeywords is described
brie y i.e. number of honeywords, typo-safe
honeyword generation and old passwords
problem. Assumptions are illustrated to an
active attack against honeyword system. They
concluded that honeyword system is the
powerful defense mechanism where an
adversary steals the le of password hashes
and inverts most or many of the hashes [6][7].
III. PROPOSED SYSTEM
Following Figure shows the system
architecture which having application side
and client side. At application side User
authentication, le Upload, get encryption and
decryption key will be done [1].
For eg. To check whether SQL injection
attacks are possible, the vulnerability
scanners send modified requests and analye
the responses returned by the server. A server
may respond with a rejection page or with an
execution page. A rejection page corresponds
to the detection of syntactically incorrect or
in-valid inputs. An execution page is returned
by the server as a consequence of a successful
execution of the request. This page legitimate
use of the web site, but may also result from a
successful exploitation of an injection attack
[5]
 Achieving Flatness: Selecting Honeywords From Existing User Passwords
ARCHITECTURE:
Figure 4.2.1 Proposed Architecture
IV. ALGORITHM
Inputs:
[1] T fake user accounts (honey pots)
[2] index value between [1;N],
Index list, which is not previously assign to user
Procedure:
Step 1: Honey pots creation: fake user account
A)For each account honey index set is created
like Xi =(xi;1; xi;2; : : : ; xi;k); one of the elements in
Xi is the correct index (sugar index) as ci
B)create two password file file f1 and file f2
F1 Store username and honyindex set <hui,xi) Where
hui is honey pot account F2 keeps the index number
and the corresponding hash of the password (create the
hash of the password), < ci;H(pi) >
Step 2: Generation of honyindex set
In Step 1 we insert honey index set in file F1 but don’t
know how to create that We use honey index generator
algorithm
Gen(k; SI ) ->ci;Xi
Generate Xi
a. select xi randomly selecting k-1 numbers from SI
and also randomly picking a number ci SI .
b. ui; ci pair is delivered to the honey checker and F1,
F2 files are updated.
Step 3: Honey checker
Set: ci, ui
Sets correct password index ci for the user ui
Check: ui, j
Checks whether ci for ui is equal to given j. Returns
the result and if equality does not hold, notifies system
a honey word situation.
V. APPLICATIONS
1. 1. This system can be useful to avoid DoS
attack.
2. This system helps to prevent brute force attack
which is very common.
3. This system has advantages over other systems
as it is easy to generate honeywords and low
complexity level.
4. This system can be used at various banking
operations also for security purpose.
5. This system saves our files from hacker.
6. This system gives instant alert to user or admin
in case of unauthorized access to user account.
VI. CONCLUSION
As per the analyzed data it deals with security of the
honeyword system This system helps to user and
admin. User gets instant alert when some hacker tried
to access his account . Also hacker will see the list of
decoy files in the system. So he feels that he have
hacked the account.
According to the analysis presented a new approach to
make the generation algorithm as close as to human
nature by generating honeywords with randomly
picking passwords that belong to other users in the
system. . As per the study, compared the proposed
 Achieving Flatness: Selecting Honeywords From Existing User Passwords

model with other methods with respect to DoS

resistance, flatness, and storage cost and usability
properties.

VIII. REFERANCES
[1] D. Mirante and C. Justin, Understanding Password
Database Compromises, Dept. of Computer Science
and Engineering Polytechnic Inst. of NYU, Tech. Rep.
TR-CSE-2013-02, 2013.
[3] A. Vance, If Your Password is 123456, Just Make
ItHackme, The New York Times, vol. 20, 2010.

[3] K. Brown, The Dangers of Weak Hashes, SANS

Institute InfoSec Reading Room, Tech. Rep., 2013.
[4] M. Weir, S. Aggarwal, B. de Medeiros, and B.
Glodek, Password Crack-ing Using Probabilistic
Context-Free Grammars, in Security and Pri-vacy,
30th IEEE Sympo-sium on. IEEE, 2009, pp. 391405.

[5] F. Cohen, The Use of Deception Techniques:

Honeypots and Decoys, Handbook of Information
Security, vol. 3, pp. 646655, 2006.
[6] M. H. Almeshekah, E. H. Spafford, and M. J.
Atallah,
[7] Improving Security using Deception, Center for
Education and Research Information Assurance and
Security, Purdue University, Tech. Rep. CERIAS Tech
Report 2013-13, 2013
[8] C. Herley and D. Florencio, Protecting nancial
institutions from brute-force attacks, in SEC08,
2008,pp.681685.