Phoney protection for passwords

May 04, 2016

Corporate data breaches seem to be on the rise, rarely a week passes without a company revealing that its database has been hacked and regrettably usernames, passwords, credit card details and its customers' personal information has been leaked on to the open internet. A new protection, nicknamed Phoney, is reported in the International Journal of Embedded Systems.

Rong Wang, Hao Chen and Jianhua of Sun College of Computer Science and Electronic Engineering, Hunan University, Changsha, China, explain that once password files have been stolen, attackers can quickly crack large numbers of passwords. With their "Phoney" system which employs a threshold cryptosystem to encrypt the password hashes in the password file and honeywords to confuse attackers, even if the hackers have comprised a database, the phoney, honeywords, obfuscate and camouflage the genuine passwords. Moreover, if those honeywords are de-hashed and used in a login attempt, the hacked system will know to immediately block the fake user and lock down the account they tried to break into.

Until a secure and safe alternative is found, passwords will remain the simplest and most effective way to login to online systems, such as shopping, banking and social media sites. Passwords lists stored by the providers can be salted and hashed to make it harder for hackers to decrypt them and users can help themselves by using long, sophisticated passwords. However, the hash used to mask a password database can itself be cracked and breaches happen and data is inevitably compromised. For example, recently 6.5 million logins from a major social networking site were stolen and within a week almost two-thirds of those passwords had been cracked making a large proportion of the user base vulnerable to further exploitation and compromise of their personal data.

The team explains that, "Phoney is helpful to existing password authentication systems and easy to deploy. It requires no modifications to the client, and just changes how the password is stored on the server, which is invisible to the client." They have carried out tests and show that the time and storage costs are acceptable. "Of course, it is impossible for Phoney to guarantee no password leak absolutely in all possible scenarios," they say. But the so-called cracking 'search space', in other words the amount of effort a hacker needs to breach the data is increased significantly.
-end-
Wang, R., Chen, H. and Sun, J. (2016) 'Phoney: protecting password hashes with threshold cryptology and honeywords', Int. J. Embedded Systems, Vol. 8, Nos. 2/3, pp.146-154.

Inderscience Publishers

Related Data Articles from Brightsurf:

Keep the data coming
A continuous data supply ensures data-intensive simulations can run at maximum speed.

Astronomers are bulging with data
For the first time, over 250 million stars in our galaxy's bulge have been surveyed in near-ultraviolet, optical, and near-infrared light, opening the door for astronomers to reexamine key questions about the Milky Way's formation and history.

Novel method for measuring spatial dependencies turns less data into more data
Researcher makes 'little data' act big through, the application of mathematical techniques normally used for time-series, to spatial processes.

Ups and downs in COVID-19 data may be caused by data reporting practices
As data accumulates on COVID-19 cases and deaths, researchers have observed patterns of peaks and valleys that repeat on a near-weekly basis.

Data centers use less energy than you think
Using the most detailed model to date of global data center energy use, researchers found that massive efficiency gains by data centers have kept energy use roughly flat over the past decade.

Storing data in music
Researchers at ETH Zurich have developed a technique for embedding data in music and transmitting it to a smartphone.

Life data economics: calling for new models to assess the value of human data
After the collapse of the blockchain bubble a number of research organisations are developing platforms to enable individual ownership of life data and establish the data valuation and pricing models.

Geoscience data group urges all scientific disciplines to make data open and accessible
Institutions, science funders, data repositories, publishers, researchers and scientific societies from all scientific disciplines must work together to ensure all scientific data are easy to find, access and use, according to a new commentary in Nature by members of the Enabling FAIR Data Steering Committee.

Democratizing data science
MIT researchers are hoping to advance the democratization of data science with a new tool for nonstatisticians that automatically generates models for analyzing raw data.

Getting the most out of atmospheric data analysis
An international team including researchers from Kanazawa University used a new approach to analyze an atmospheric data set spanning 18 years for the investigation of new-particle formation.

Read More: Data News and Data Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.