It has become much easier to crack a password
hash with the advancements in the graphicalprocessing
unit (GPU) technology. An adversary can
recover a user's password using brute-force attack on
password hash. Once the password has been recovered
no server can detect any illegitimate user authentication
(if there is no extra mechanism used).
In this context, recently, Juels and Rivest published a
paper for improving the security of hashed passwords.
Roughly speaking, they propose an approach for user
authentication, in which some false passwords, i.e., "honeywords"
are added into a password file, in order to
detect impersonation. Their solution includes an auxiliary
secure server called "honeychecker" which can distinguish
a user's real password among her honeywords and immediately
sets off an alarm whenever a honeyword is used. In
this paper, we analyze the security of the proposal, provide
some possible improvements which are easy to implement
and introduce an enhanced model as a solution to an open
problem.
↧