• Ana Sayfa

A novel honeyword-based authentication scheme for password database breaches

Creative Commons License

Tezin Türü: Yüksek Lisans

Tezin Yürütüldüğü Kurum: Marmara Üniversitesi, Fen Bilimleri Enstitüsü, Türkiye

Tezin Onay Tarihi: 2022

Tezin Dili: İngilizce

Öğrenci: NEVZAT ÖZCANDAN

Asıl Danışman (Eş Danışmanlı Tezler İçin): Ali Fuat Alkaya

Açık Arşiv Koleksiyonu: AVESİS Açık Erişim Koleksiyonu

Özet:

"Honeywords" provide both enhancements to hashed password security and detection of password database breaches by intentional insertion of trap passwords–named as honeywords– along with each user's account. Nevertheless, there are several primary security problems associated with the honeyword mechanism such as targeted password guessing and multiple system intersection attacks caused by password reuse. In this thesis, we first present a brief analysis of pitfalls in the existing honeyword schemes Superword, Append Secret Model, and Erguler's scheme. In particular, we propose an attack on Erguler's honeyword scheme and show that it can be fully broken by online login attempts even if an adversary just compromises the password file once. We propose a novel honeyword scheme, named Panacea, that mitigates the threat of password file breaches and offline password inversion attacks. Our scheme works efficiently and for every user in the system regardless of their password choices before detecting the threat on a password file. Additionally, we discuss that recent honeyword schemes have more in common with distributed password storage schemes and thus suggest an alternative scheme, the simplification of the Panacea, that does reasonably well in satisfying security and complexity aspects. The extensive analysis demonstrates that both our proposed schemes overcome most of the limitations and vulnerabilities of previously proposed honeyword schemes. We compare our proposed schemes with the existing ones under various attacks to validate our claims. This thesis will help to make systems more secure, which have become the target of many possible cyberattacks, especially those who are interested in information security, by stealing the password database by the adversary.