HONEY WORDS MAKING PASSWORD CRACKING DETECTABLE
HONEY WORDSMAKING PASSWORD CRACKING DETECTABLE
Storing passwords
• In clear•Hashing•Adding salt•Honeyword
Storing in clear•Insider attack•Normal user reads the database and learns other user passwords.•Outside attacker•Attacker gains unauthorised access through database and learns all passwords.•So passwords storing in clear is nothing but the chance we are giving for the attacker
Database - storing in CLEAR
If this is the way we store our passwords then it will be very easy for the attacker to hack the passwords.
Hashing the password•Hashes of the password are stored.•When user submits password,it is hashed and compared to the stored value.•If attacker gains database,he gets the user-ID and hash value of the password.•So for the attacker it is somewhat difficult to crack the password compared to the before method.
Database - storing Hashes of the password
•For exampleH(mysecret)=06c219e5bc...697
How the attacker hacks the password in this case???
It is a offline method to crackpassword hashes
Adding salt to the password hashes
•When Id and password intially created system generates random s_bit value(salt),concatenate with the password and generate hash value.•When user submits password,salt from password database is concatenated,hashed and comapred.•If attacker gains database,they know the salt and they keep same effort to find this also.
Salt password hashes in database
What should be done in this case??
•The data structure we use for storing this is the rainbow table.•It stores all the hash values of the passwords.•If we want a rainbow table for every salt we require many tables.
for example
Honey words•A simple method for improving the security of the hashed passwords.•The maintenance of additional honeywords(false passwords) associated with each user account.•An adversary who steals a file of hashed passwords and inverts
The hash function cannot tell if he has found the password or honeyword.
• The attempted use of a honeyword for login sets off an alarm.
• An auxiliary server can distinguish the user password from honeywords for the login routine,and will set off an alarm if a honeyword is submitted.
Thank you
Any queries?