An implementation of honeyword-based authentication system that can detect password leaks. The honeword-generation scheme is based on Erguler's scheme (2).
Honeywords are fake passwords that are kept along the actual passwords of the users. When a password file is leaked, the adversary tries to crack the hashed passwords and then login into the system. Usually, the time between actual leak and detection of password leak by system admin is too long. It is very likely that the adversary had already caused the damage by then. This scheme tries to reduce that gap.
When the attacker leaks password file from a system that implements Honeyword-scheme, then he gets a list of probable passwords for each user, if he successfully cracks the hashed passwords. Then he needs to figure out the correct passworc, called sugarword. If he guesses wrong and enters a honeyword, then the system can detect that a login attempt using a honeyword was made, and some suitable action could be initiated.
-
honeychecker program
- It manages the sugar_index file, which contains usernames and corresponding correct-password index. -
server program
- It manipulates the files F1 and F2. Only this program can directly communicate with the honeychecker program. The F1 file contains usernames and corresponding sugarword-index lists. The F2 file contains indexes and corresponding passwords (in hashed form). -
client program
- It interacts with the user, and communicates only with the server program. -
This is program is tested on a single machine. The components communicate through a System V message queue.
-
MD5 is used as the hashing algorithm to hash password. It is strongly recommended to use some other hashing algorithm which is more resistant to attacks, like, argon2, bcrypt.