Stay away from my passwords! Revisiting the security of honeyword-based systems

Tingting RAO; Wanying XU; Peng XU; Wei WANG; Zhaojun LU; Mauro CONTI; Kaitai LIANG

doi:10.1007/s11704-025-51375-z

Front. Comput. Sci. ›› 2027, Vol. 21 ›› Issue (4) :2104803 DOI: 10.1007/s11704-025-51375-z

Information Security

RESEARCH ARTICLE

Stay away from my passwords! Revisiting the security of honeyword-based systems

Author information +

History +

PDF (9487KB)

Abstract

Honeywords are decoys stored alongside real passwords in credential databases. A real-world application of honeywords is the honeyword-based authentication system that detects malicious login attempts by utilizing these deceptive fake passwords. Existing honeyword-based authentication systems face two key restrictions: 1) the authentication server is a single point of full trust (i.e., it is not allowed to be intruded upon or colluded with by attackers), and 2) the stored real passwords are vulnerable to tweaking attacks once attackers gain knowledge of the passwords from other sources. To address the above challenges, we introduce SecHive, a secure three-layer honeyword-based authentication system with a hash-query server. SecHive ensures real password security even when the authentication server is semi-honest instead of fully honest. Moreover, we design a new honeyword generation method called $GenHoney$ , which is embedded in SecHive to detect tweaking attacks effectively. Our extensive experimental results prove that SecHive improves security over state-of-the-art honeyword-based authentication systems, in particular, at least a 7.39x improvement in the accuracy of detecting tweaking attacks.

Graphical abstract

Keywords

privacy / password security / honeyword / authentication system / honeyword-based authentication

Cite this article

Download citation ▾

Tingting RAO, Wanying XU, Peng XU, Wei WANG, Zhaojun LU, Mauro CONTI, Kaitai LIANG. Stay away from my passwords! Revisiting the security of honeyword-based systems. Front. Comput. Sci., 2027, 21(4): 2104803 DOI:10.1007/s11704-025-51375-z

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Wang C, Wang D, Xu G, He D . Efficient privacy-preserving user authentication scheme with forward secrecy for industry 4.0. Science China Information Sciences, 2022, 65( 1): 112301

[2]	Canetti R, Halevi S, Katz J, Lindell Y, MacKenzie P. Universally composable password-based key exchange. In: Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques. 2005, 404−421

[3]	Verizon Business. 2024 data breach investigations report. See Verizon. com/business/en-gb/resources/reports/2024/dbir/2024-dbir-data-breach-investigations-report, 2024

[4]	Hackett R. Yahoo raises breach estimate to full 3 billion accounts, by far biggest known. Fortune. See Fortune. com/2017/10/03/yahoo-breach-mail/, 2017

[5]	Heim P. Resetting passwords to keep your files safe. Dropbox. See Blog. dropbox. com/topics/company/resetting-passwords-to-keep-your-files-safe, 2016

[6]	Lukic D. What you need to know about Canva data breach. Canva. See Idstrong. com/sentinel/canva-data-breach/, 2021

[7]	IBM . Cost of a data breach report 2025. IBM. See Ibm. com/reports/data-breach?WHB=gartner_grc#!/LearnMore, 2025

[8]	Juels A, Rivest R L. Honeywords: making password-cracking detectable. In: Proceedings of 2013 ACM SIGSAC Conference on Computer & Communications Security. 2013, 145−160

[9]	Almeshekah M H, Gutierrez C N, Atallah M J, Spafford E H. ErsatzPasswords: ending password cracking and detecting password leakage. In: Proceedings of the 31st Annual Computer Security Applications Conference. 2015, 311−320

[10]	Wang K C, Reiter M K. Using amnesia to detect credential database breaches. In: Proceedings of the 30th USENIX Security Symposium. 2021, 839−855

[11]	Dionysiou A, Athanasopoulos E. Lethe: practical data breach detection with zero persistent secret state. In: Proceedings of 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). 2022, 223−235

[12]	Wang K C, Reiter M K. Bernoulli honeywords. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium. 2024, 1−18

[13]	Guo Y, Zhang Z, Guo Y . Superword: a honeyword system for achieving higher security goals. Computers & Security, 2021, 103: 101689

[14]	Alessandro E. Phishing attacks double in 2024. Infosecurity Magazine. See Infosecurity-magazine. com/news/2024-phishing-attacks-double/, 2024

[15]	Erguler I . Achieving flatness: selecting the honeywords from existing user passwords. IEEE Transactions on Dependable and Secure Computing, 2016, 13( 2): 284–295

[16]	Wang D, Cheng H, Wang P, Yan J, Huang X. A security analysis of honeywords. In: Proceedings of the Network and Distributed Systems Security (NDSS) Symposium. 2018, 1−15

[17]	Wang D, Zou Y, Dong Q, Song Y, Huang X. How to attack and generate honeywords. In: Proceedings of 2022 IEEE Symposium on Security and Privacy (SP). 2022, 966−983

[18]	Levenshtein V I . Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics-Doklady, 1965, 10( 8): 707–710

[19]	Bloom B H . Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, 1970, 13( 7): 422–426

[20]	Rescorla E. The transport layer security (TLS) protocol version 1.3. RFC 8446, See Rfc-editor.org/info/rfc8446, 2018

[21]	China OSA. Cybersecurity technology-Public key infrastructure-Online certificate status protocol. GB/T 19713-2025, See Openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=96D7566804296DF20B4376DDD968D471, 2025

[22]	Wang C, Qi Q, Wang J, Sun H, Zhuang Z, Wu J, Liao J. Rethinking the power of timestamps for robust time series forecasting: a global-local fusion perspective. In: Proceedings of the 38th International Conference on Neural Information Processing Systems. 2024, 700

[23]	Wang D, Zhang Z, Wang P, Yan J, Huang X. Targeted online password guessing: an underestimated threat. In: Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016, 1242−1254

[24]	Wang D, Zou Y, Xiao Y A, Ma S, Chen X. Pass2Edit: a multi-step generative model for guessing edited passwords. In: Proceedings of the 32nd USENIX Security Symposium. 2023, 983−1000

[25]	Almeida P S, Baquero C, Preguiça N, Hutchison D . Scalable bloom filters. Information Processing Letters, 2007, 101( 6): 255–261

[26]	Pal B, Daniel T, Chatterjee R, Ristenpart T. Beyond credential stuffing: password similarity models using neural networks. In: Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). 2019, 417−434

[27]	Amazon DynamoDB. Pricing for on-demand capacity. Amazon. See Aws.amazon.com/dynamodb/pricing/on-demand/, 2025

[28]	Bonneau J, Herley C, van Oorschot P C, Stajano F . Passwords and the evolution of imperfect authentication. Communications of the ACM, 2015, 58( 7): 78–87

[29]	Akshima , Chang D, Goel A, Mishra S, Sanadhya S K . Generation of secure and reliable honeywords, preventing false detection. IEEE Transactions on Dependable and Secure Computing, 2019, 16( 5): 757–769

[30]	Weir M, Aggarwal S, de Medeiros B, Glodek B. Password cracking using probabilistic context-free grammars. In: Proceedings of 2009 30th IEEE Symposium on Security and Privacy. 2009, 391−405

[31]	Ma J, Yang W, Luo M, Li N. A study of probabilistic password models. In: Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014, 689−704

[32]	Dionysiou A, Vassiliades V, Athanasopoulos E. HoneyGen: generating honeywords using representation learning. In: Proceedings of 2021 ACM Asia Conference on Computer and Communications Security. 2021, 265−279

[33]	Wash R, Rader E, Berman R, Wellmer Z. Understanding password choices: how frequently entered passwords are re-used across websites. In: Proceedings of the 12th Symposium on Usable Privacy and Security. 2016, 175−188

[34]	Florencio D, Herley C. A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web. 2007, 657−666

[35]	Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. In: Proceedings of the Network and Distributed System Security (NDSS) Symposium. 2014, 1−15