Raising the bar for password crackers: improving the quality of honeywords with deep neural networks

Abstract

Honeywords are fictitious passwords inserted into databases in order to identify password breaches. Producing honeywords that are difficult to distinguish from actual passwords automatically is a time-consuming and sophisticated task, and the majority of existing research assumes that attackers have no knowledge about users, which is a flawed assumption. In this thesis, we introduce two honeyword generation techniques (HGT): Honey-GAN and Chunk-GPT3, which can generate honeywords resistant to trawling attacks and targeted attacks, respectively. In addition, we propose a trawling attack, termed as Normalized Top-SW, to imitate trawling attackers and further assess the resilience of HGTs to the attack. Furthermore, we propose two text similarity-based metrics to evaluate the indistinguishability of honeywords. We analyze our HGTs compared with the other two state-of-the-art HGTs quantitatively and qualitatively and demonstrate that our HGTs can produce honeywords that are substantially more difficult for attackers to distinguish, hence increasing the bar for attackers and accelerating the detection of password breaches.