IJSRD - International Journal for Scientific Research & Development| Vol.

6, Issue 03, 2018 | ISSN (online): 2321-0613

Achieving Flatness: Selecting the Honeywords from Existing User

Passwords
Ritu Ranjan Jha1 Pranita Dhane2 Prof. Yuvaraj N N3
1,2
BE Student 3Assistant Professor
1,2,3
Department of Computer Engineering
1,2,3
DYPSOEA Ambi, India
Abstract— It may be represented the honeyword mechanism
to detect an adversary who tries to login with cracked II. LITERATURE SURVEY
passwords. New password is the mix of existing user
passwords called honey words. Fake passwords are few A. Paper name: Guess again: Measuring password strength
by simulating password-cracking algorithm
things though the honey words basically, for every username
some sweet words is constructed in ways that merely one Authors: P.G. Kelley, S. Komanduri , M.L Mazurek, R. Shay,
element will be the correct password as well as the others are T. Vidas, L. Bauer, N. Christin, L.F. Cranor and J. Lopez
honey words (decoy passwords). Hence, when an adversary Description: here authors found several notable
tries to enter into the device with a honey word, a security is results about the comparative strength of different
triggered to notify the administrator of a password leakage. composition policies. Although NIST considers basic16 and
Honey words to detect attacks against hash password comprehensive8 equivalents, we found that basic16 is
database. Per user account the legitimate password saved in superior against large numbers of guesses. Combined with a
way of honey words. If attacker Attack on password i.e. prior results that basic16 is also easier for users, this suggests
honey words it cannot be sure it really is real password or basic16 is the better policy choice. We also found that the
honey word. On this study, we to check in more detail with effectiveness of a dictionary check depends heavily on the
careful attention the honey word system and provide some choice of dictionary; in particular, a large blacklist created
comment to target supply weak spots. Also concentrate on using state-of-the -art password guessing techniques is much
pragmatic password, reduce storage price of password, and more effective than a standard dictionary at preventing users
alternate any to choice the newest password from existing from choosing easily guessed passwords.
user passwords. B. Paper Name: a large-scale study of web password habits
Key words: Authentication, Honeypot, Honey words,
Password Cracking Authors: D. Florencio and C. Herley
Description: Here authors report the results of a
large scale study of password use and password re-use habits.
I. INTRODUCTION
The study involved half a million users over a three month
On this there are two issues that should be thought to period. A client component on users’ machines recorded a
overcome these security problems. First passwords has to be variety of password strength, usage and frequency metrics.
paid by taking appropriate precautions and storing using hash This allows us to measure or estimate such quantities as the
values computed through salting as well as other complex average number of passwords and average number of
mechanisms. Hence, for an adversary it should be though to accounts each user has, how many passwords she types per
invert hashes to get plaintext passwords. The other point is day, how often passwords are shared among sites, and how
the fact that a safe and secure system should detect whether often they are forgotten. Also authors get extremely detailed
your password strength file disclosure incident happened or data on password strength, the types and lengths of passwords
you are not to adopt appropriate actions. Within this study, chosen, and how they vary by site. The data is the first large
we focus on the later issue and handle fake passwords or scale study of its kind, and yields numerous other insights into
accounts being a simple and easy cost effective treatment for the role the passwords play in users’ online experience.
detect compromise of passwords. Every time a user sends a
login request, the login server determines the transaction of C. Paper Name: Examination of a new defense mechanism:
her one of the users, and the order with the submitted Honey words
password among her sweet words. The login server sends a Authors: Z. A. Genc, S. Kardas, and M. S. Kiraz
message from the form to a secure server which is called Description: Here authors decoy passwords i.e.
honey checker, for that user and her sweet word. The honey honey words to identify attacks against hash password
checker will determine whether the submitted word is often a database. For each and every user account the legitimate
password or perhaps a honey word. If a honey word is password kept in kind of honey words. If attackers Attack on
submitted, this will raise an alarm or take an action that’s password i.e. honeywords it wouldn't make sure it is real
previously chosen. The honey checker cannot know password or honeyword. It is less difficult to crack your
everything about the user’s password or honey words. It password hash together with the advancements within the
retains a single database made up of merely the order in the graphical processing unit (GPU) technology. Entering which
true password one of the user’s sweet words. has a honey word to login will trigger an alarm notifying the
administrator of a password file breach.

All rights reserved by www.ijsrd.com 128

 Achieving Flatness: Selecting the Honeywords from Existing User Passwords
(IJSRD/Vol. 6/Issue 03/2018/032)

D. Paper Name: Password Cracking Using Probabilistic V. ALGORITHM

Context-Free Grammars
A. Chaffing with Toughnut
Authors: M. Weir, S. Aggarwal, B. de Medeiros, and B.
In this method, the system intentionally injects some special
Glodek
honeywords, named as tough nuts, such that inverting hash
Description: Choosing the foremost effective word-
values of those words is computationally infeasible, e.g. fixed
mangling rules to use once playing a dictionary-based parole
length random bit strings should be set as hash value of a
cracking attack may be a troublesome task. During this paper
honeyword. Moreover, it is noted that number and positions
authors have a tendency to discuss a replacement technique
of tough nuts are selected randomly. By means of this, it is
that generates parole structures in highest chance order. Here
expected that the adversary cannot seize whole sweet word
authors first mechanically produce a probabilistic context-
set and some sweet words will be blank for her, thereby
free descriptive linguistics based mostly upon a coaching set
deterring the adversary to realize her attack.
of antecedently disclosed passwords. This descriptive
linguistics then permits United States to get word-mangling B. Chaffing with Tweaking
rules, and from them, parole guesses to be utilized in parole In this method, user password seeds the generator algorithm
cracking. Also authors conjointly show that this approach which tweaks selected character positions of the real
appears to supply a more practical thanks to crack paroles as password to produce the honeywords. For instance, each
compared to ancient ways by testing our tools and techniques character of user password in predetermined positions is
on real password sets. replaced by a randomly chosen character of the same type:
digits are replaced by digits, letters by letters, and special
III. EXISTING SYSTEM characters by special characters. Number of positions to be
We separate the honeyword approach and give some notice tweak, denoted as t should depend on system policy etc. As
about the security of the system. We point out that the key an example t = 3 and tweaking last t characters may be a
item for this method is the generation algorithm of the method for generator algorithm Gen (k, t). Another approach
honeywords such that they shall be indistinguishable from the named in the study as” chaffing-by-tweaking-digits” is
correct passwords. Therefore, we propose a new method that executed by tweaking the last t positions that contain digits.
created the Honeywords using the existing user passwords For example, by using last technique for the password
combination in hash format. 42hungry and t = 2, the honeywords 12hungry and 58hungry
may be generated.
A. Disadvantages of Existing System
 C. Tail

Not secure.
Tail is combining the strength of different honeyword

Performance is low.
Difficult to locate malicious activities. generation methods, e.g. chaffing-with-a-password-model
and chaffing-by-tweaking-digits. By using this technique,
IV. PROPOSED SYSTEM random password model will yield seeds for tweaking-digits
to generate honeywords. For example let the correct password
Within this study, we concentrate on the security issue and be apple1903. Then the honeywords angel2562 and
cope with fake passwords or accounts as being a simple and happy9137 should be produced as seeds to chaffing-by-
cost-effective means to fix detect compromise of passwords. tweaking-digits.
Honeypot is probably the methods to identify occurrence of
the password database breach. On this approach, the VI. SYSTEM ARCHITECTURE
administrator purposely creates deceit user accounts to lure
adversaries and detects a password disclosure, if any one of
the honeypot passwords get used. In this paper we now have
proposed a novel honeyword generation approach which cuts
down on the storage overhead and also it addresses majority
of the drawbacks of existing honeyword generation
techniques. Proposed model is determined by utilization of
honey words to identify password-cracking. We propose to
work with indexes that map to valid passwords from the
system. The contribution of our own approach is twofold.
First, using this method requires less storage when compared
to the original study. In your approach passwords of other
users are employed as the fake passwords, so guess ones
password is fake and that is correct gets to be more Fig. 1: Proposed System Architecture
complicated for an adversary. In this system, If user entered right username and password is
A. Advantages of Proposed System the honey word which is generated at the time of registration

then the system will allow user next two times to enter his

It is more secure. correct password. The honey encryption methods used by

It detects the all malicious activities of users. using some passwords + keys. We have generated the many
It’s a trustful network. to many relationships. And Compare to each key with seed

All rights reserved by www.ijsrd.com 129

 Achieving Flatness: Selecting the Honeywords from Existing User Passwords
(IJSRD/Vol. 6/Issue 03/2018/032)

space. Then XOR operation performed. Even if after giving VIII. FUNCTIONAL MODEL
three chances user enters the honey word then system will
lock the account. And he has waits for activation from admin.
If user entered right username but if password is wrong also
password is not a honey word then system will block that
particular user and request to admin for activate the account.

VII. MODULES
1) User
2) Admin
3) Hacker
4) Honey Tracker
A. User

 User will register to the system, at the time of registration

1) Registration:
IX. SYSTEM REQUIREMENTS
 Also system will generate no. of Honey words with the
user will enter the 3 Honey words.
Hardware Requirements:

 Chaffing with Toughnut

help of user password by three methods: System : Pentium IV 2.4 GHz.
Hard Disk : 40 GB.
 Chaffing with Tweaking Floppy Drive : 1.44 Mb.
 Tail Monitor : 15 VGA Colour.
Mouse : Logitech.
 If user entered right username and password is the honey
2) Login:
Ram : 512 Mb.
word which is generated at the time of registration then Software Requirements:
the system will allow user next two times to enter his Operating system : Windows XP/7.
Coding Language : JAVA/J2EE, Hibernate.
 Even if after giving three chances user enters the honey
correct password.
IDE : Java eclipse.
word then system will lock the account. And he has waits Web server : Apache Tomcat 7.
Front End : JSP, CSS etc.
 If user entered right username but if password is wrong
for activation form admin.
Back End : MySQL as database server.
also password is not a honey word then system will block
X. FUTURE SCOPE
that particular user and request to admin for activate the
account. 1) In the future, we would like to refine our model by
involving hybrid generation algorithms to also make the
B. Admin

total hash inversion process harder for an adversary in


Admin will activate the blocked user account. getting the passwords in plaintext form from a leaked
Admin will protect the passwords by using Honey password hash file.


Encryption method. 2) Hence, by developing such methods both of two security
The honey encryption methods used by using some objectives – increasing the total effort in recovering
passwords+keys.We have generated the many to many plaintext passwords from the hashed lists and detecting
relationships. And Compare to each key with seed space. the password disclosure can be provided at the same
Then XOR operation performed. time.
C. Hacker

XI. CONCLUSION


Hacker will login into the system.
Finally proposed the security in the honeyword system and
Then hacker will get wrong passwords for requested introduce numerous defect that need to be fitted with before
user. successful realization with the scheme. This is because, we
D. Honey Tracker now have pointed out that the forte with the honeyword
It will track the user’s record i.e. number of wrong passwords system directly is determined by the generation algorithm
and number of honey words for particular user login. finally we've got presented a whole new approach to help
make the generation algorithm as close regarding man's
instinct by generating honeywords with randomly picking
passwords owed with users from the system. We present an
ordinary method of securing business and personal data from
the system. We propose monitoring data access patterns by
profiling user behavior to ascertain when and if a malicious
insider illegally accesses someone’s documents inside a
system service. Decoy documents kept in the device
alongside the user’s real data also work as sensors to detect

All rights reserved by www.ijsrd.com 130

 Achieving Flatness: Selecting the Honeywords from Existing User Passwords
(IJSRD/Vol. 6/Issue 03/2018/032)

illegitimate access. Once unauthorized data access or Proc. 15th Eur. Conf.Res. Comput. Security, 2010, pp.
exposure is suspected, and then verified, with challenge 286–302.
questions for example, we inundate the malicious insider with [14] A. Juels and R. L. Rivest, “Honeywords: Making
fake information to be able to dilute or divert the user real password cracking detectable,” in Proc. ACM SIGSAC
data. Such preventive attacks that depend on disinformation Conf. Comput.Commun. Security, 2013, pp. 145–160.
technology could provide unprecedented numbers of peace of [15] M. Burnett. The pathetic reality of adobe password hints.
mind in the machine plus internet sites model. [Online].Available: https://xato.net/windows-
In the future, we'd like to refine our model by security/adobe-passwordhints, 2013.
involving hybrid generation algorithms also to result in the
total hash inversion process more difficult for an adversary in
enabling the passwords in plaintext form a leaked password
hash file. Hence, by developing such methods both two
security objectives helping the total effort in recovering
plaintext passwords through the hashed lists and detecting the
password disclosure can be provided as well.

REFERENCES
[1] Kelley, Patrick Gage, et al. "Guess again (and again and
again): Measuring password strength by simulating
password-cracking algorithms." Security and Privacy
(SP), 2012 IEEE Symposium on. IEEE, 2012.
[2] Florencio, Dinei, and Cormac Herley. "A large- scale
study of web password habits." Proceedings of the 16th
international conference on World Wide Web. ACM,
2007.
[3] Genc, Ziya Alper, and Süleyman Kardaş. "Examination
of a new defense mechanism: Honeywords."
Proceedings of the 11th WISTP International Conference
on Information Security Theory and Practice. Springer,
2017.
[4] Weir, Matt, et al. "Password cracking using
probabilistic context-free grammars." Security and
Privacy, 2009 30th IEEE Symposium on. IEEE, 2009.
[5] National information assurance (ia) glossary, 2010.
[6] Password cracking. Web Site, 2013.
www.golubev.com/hashgpu.htm.
[7] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh.
Kamouflage: Loss-resistant password management. In
ESORICS, pages 286– 302, 2010.
[8] J. Bonneau. Guessing human-chosen secrets. Technical
Report UCAM-CL-TR-819, University of Cambridge,
Computer Laboratory, May 2012.
[9] M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek,
“Password cracking using probabilistic context-free
grammars,” in Proc. 30thIEEE Symp. Security Privacy,
2009, pp. 391–405.
[10] F. Cohen, “The use of deception techniques: Honeypots
and decoys,” Handbook Inform. Security, vol. 3, pp.
646–655, 2006.
[11] M. H. Almeshekah, E. H. Spafford, and M. J. Atallah,
“Improving security using deception,” Center for
Education and Research Information Assurance and
Security, Purdue Univ., West Lafayette, IN, USA: Tech.
Rep. CERIAS Tech. Rep. 2013-13, 2013.
[12] C. Herley and D. Florencio, “Protecting financial
institutions from brute-force attacks,” in Proc. 23rd Int.
Inform. Security Conf., 2008, pp. 681–685.
[13] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh,
“Kamouflage: Loss-resistant password management,” in

All rights reserved by www.ijsrd.com 131