skip to main content
10.1145/2976749.2978416acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

On the Security of Cracking-Resistant Password Vaults

Published: 24 October 2016 Publication History

Abstract

Password vaults are used to store login credentials, usually encrypted by a master password, relieving the user from memorizing a large number of complex passwords. To manage accounts on multiple devices, vaults are often stored at an online service, which substantially increases the risk of leaking the (encrypted) vault. To protect the master password against guessing attacks, previous work has introduced cracking-resistant password vaults based on Honey Encryption. If decryption is attempted with a wrong master password, they output plausible-looking decoy vaults, thus seemingly disabling offline guessing attacks. In this work, we propose attacks against cracking-resistant password vaults that are able to distinguish between real and decoy vaults with high accuracy and thus circumvent the offered protection. These attacks are based on differences in the generated distribution of passwords, which are measured using Kullback-Leibler divergence. Our attack is able to rank the correct vault into the 1.3% most likely vaults (on median), compared to 37.8% of the best-reported attack in previous work. (Note that smaller ranks are better, and 50% is achievable by random guessing.) We demonstrate that this attack is, to a certain extent, a fundamental problem with all static Natural Language Encoders (NLE), where the distribution of decoy vaults is fixed. We propose the notion of adaptive NLEs and demonstrate that they substantially limit the effectiveness of such attacks. We give one example of an adaptive NLE based on Markov models and show that the attack is only able to rank the decoy vaults with a median rank of 35.1%.

References

[1]
AgileBits, Inc. 1Password Support: Technical Document -- OPVault Format, Dec. 2012. https://support.1password.com/opvault-design, as oftoday.
[2]
D. V. Bailey, M. Dürmuth, and C. Paar. Statistics on Password Re-use and Adaptive Strength for Financial Accounts. In Conference on Security and Cryptography for Networks, pages 218--235. Springer, 2014.
[3]
H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: Loss-resistant Password Management. In European Conference on Research in Computer Security, pages 286--302. Springer, 2010.
[4]
J. Bonneau. Guessing Human-chosen Secrets. PhD thesis, University of Cambridge, 2012.
[5]
J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In IEEE Security and Privacy, pages 553--567. IEEE, 2012.
[6]
C. Castelluccia, A. Chaabane, M. Dürmuth, and D. Perito. When Privacy Meets Security: Leveraging Personal Information for Password Cracking. CoRR, abs/1304.6584, 2013.
[7]
C. Castelluccia, M. Dürmuth, and D. Perito. Adaptive Password-Strength Meters from Markov Models. In Network and Distributed System Security. Internet Society, 2014.
[8]
R. Chatterjee. NoCrack Password Vault, Sept. 2015. https://github.com/rchatterjee/nocrack, as oftoday.
[9]
R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart. Cracking-Resistant Password Vaults using Natural Language Encoders. In IEEE Security and Privacy, pages 481--498. IEEE, 2015. Full Version: https://eprint.iacr.org/2015/788, as oftoday.
[10]
A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The Tangled Web of Password Reuse. In Network and Distributed System Security. Internet Society, 2014.
[11]
M. Dürmuth, F. Angelstorf, C. Castelluccia, D. Perito, and A. Chaabane. OMEN: Faster Password Guessing Using an Ordered Markov Enumerator. In International Symposium on Engineering Secure Software and Systems, pages 119--132. Springer, 2015.
[12]
D. Florêncio, C. Herley, and P. C. van Oorschot. Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. In USENIX Security Symposium, pages 465--479. USENIX Association, 2014.
[13]
P. Gasti and K. B. Rasmussen. On the Security of Password Manager Database Formats. In European Symposium on Research in Computer Security, pages 770--787. Springer, 2012.
[14]
J. Goldberg. On Hashcat and Strong Master Passwords as Your Best Protection, Apr. 2013. https://blog.agilebits.com/2013/04/16/1password-hashcat-strong-master-passwords/, as of today.
[15]
A. Greenberg. Password Manager LastPass Got Breached Hard, June 2015. https://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/, as of today.
[16]
M. Horsch, M. Schlipf, J. Braun, and J. Buchmann. Password Requirements Markup Language. In Australasian Conference on Information Security and Privacy, pages 426--439. Springer, 2016.
[17]
A. Juels and T. Ristenpart. Honey Encryption: Security Beyond the Brute-Force Bound. In Advances in Cryptology - EUROCRYPT, pages 293--310. Springer, 2014.
[18]
B. Kaliski. PKCS#5: Password-Based Cryptography Specification Version 2.0. RFC 2898, RFC Editor, Sept. 2000.
[19]
A. Karole, N. Saxena, and N. Christin. A Comparative Usability Evaluation of Traditional Password Managers. In International Conference on Information Security and Cryptology, pages 233--251. Springer, 2010.
[20]
Z. Li, W. He, D. Akhawe, and D. Song. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers. In USENIX Security Symposium, pages 465--479. USENIX Association, 2014.
[21]
J. Ma, W. Yang, M. Luo, and N. Li. A Study of Probabilistic Password Models. In IEEE Security and Privacy, pages 689--704. IEEE, 2014.
[22]
D. McCarney, D. Barrera, J. Clark, S. Chiasson, and P. C. van Oorschot. Tapas: Design, Implementation, and Usability Evaluation of a Password Manager. In Annual Computer Security Applications Conference, pages 89--98. ACM Press, 2012.
[23]
A. Narayanan and V. Shmatikov. Fast Dictionary Attacks on Passwords Using Time-space Tradeoff. In ACM Computer and Communications Security, pages 364--372. ACM, 2005.
[24]
A. Peslyak. John the Ripper's Cracking Modes, the "Single Crack" Mode, May 2013. http://www.openwall.com/john/doc/MODES.shtml, as of today.
[25]
S. Profis. The Guide to Password Security, Jan. 2016. http://www.cnet.com/how-to/the-guide-to-password-security-and-why-you-should-care/, as of today.
[26]
A. Rabkin. Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. In USENIX Symposium on Usable Privacy and Security, pages 13--23. USENIX Association, 2008.
[27]
D. Reichl. KeePass Help Center: Protection against Dictionary Attacks, June 2016. http://keepass.info/help/base/security.html, as of today.
[28]
S. Schechter, A. J. B. Brush, and S. Egelman. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions. In IEEE Security and Privacy, pages 375--390. IEEE, 2009.
[29]
D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson. Password Managers: Attacks and Defenses. In USENIX Security Symposium, pages 449--464. USENIX Association, 2014.
[30]
J. Steube. Introducing PRINCE. In International Conference on Passwords, pages 1--42. Springer, 2014.
[31]
B. Stock and M. Johns. Protecting Users Against XSS-based Password Manager Abuse. In ACM Symposium on Information, Computer and Communications Security, pages 183--194. ACM, 2014.
[32]
B. Ur, F. Noma, J. Bees, S. M. Segreti, R. Shay, L. Bauer, N. Christin, and L. F. Cranor. "I Addedtextquoteright!\textquoteright at the End to Make It Secure": Observing Password Creation in the Lab. In USENIX Symposium on Usable Privacy and Security, pages 123--140. USENIX Association, 2015.
[33]
R. Veras, C. Collins, and J. Thorpe. On the Semantic Patterns of Passwords and their Security Impact. In Network and Distributed System Security. Internet Society, 2014.
[34]
M. Weir, S. Aggarwal, B. D. Medeiros, and B. Glodek. Password Cracking Using Probabilistic Context-Free Grammars. In IEEE Security and Privacy, pages 391--405. IEEE, 2009.
[35]
F. Wiemer and R. Zimmermann. High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware. In International Conference on ReConFigurable Computing and FPGAs, pages 1--6. IEEE, 2014.

Cited By

View all
  • (2024)Honey password vaults tolerating leakage of both personally identifiable information and passwordsCybersecurity10.1186/s42400-024-00236-67:1Online publication date: 4-Oct-2024
  • (2024)The Effect of Domain Terms on Password SecurityACM Transactions on Privacy and Security10.1145/370335028:1(1-29)Online publication date: 4-Nov-2024
  • (2024)A Security Analysis of Honey Vaults2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00219(1424-1442)Online publication date: 19-May-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. cracking-resistance
  2. honey encryption
  3. natural language encoders
  4. password managers

Qualifiers

  • Research-article

Funding Sources

  • German Research Foundation (DFG)

Conference

CCS'16
Sponsor:

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)45
  • Downloads (Last 6 weeks)2
Reflects downloads up to 12 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Honey password vaults tolerating leakage of both personally identifiable information and passwordsCybersecurity10.1186/s42400-024-00236-67:1Online publication date: 4-Oct-2024
  • (2024)The Effect of Domain Terms on Password SecurityACM Transactions on Privacy and Security10.1145/370335028:1(1-29)Online publication date: 4-Nov-2024
  • (2024)A Security Analysis of Honey Vaults2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00219(1424-1442)Online publication date: 19-May-2024
  • (2024)How to Design Honey Vault SchemesInformation and Communications Security10.1007/978-981-97-8798-2_1(3-24)Online publication date: 25-Dec-2024
  • (2024)PassGPT: Password Modeling and (Guided) Generation with Large Language ModelsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_9(164-183)Online publication date: 11-Jan-2024
  • (2024)You Reset I Attack! A Master Password Guessing Attack Against Honey Password VaultsComputer Security – ESORICS 202310.1007/978-3-031-51479-1_8(141-161)Online publication date: 12-Jan-2024
  • (2023)"I just stopped using one and started using the other": Motivations, Techniques, and Challenges When Switching Password ManagersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623150(3123-3137)Online publication date: 15-Nov-2023
  • (2023)Countering malicious content moderation evasion in online social networksApplied Soft Computing10.1016/j.asoc.2023.110552145:COnline publication date: 1-Sep-2023
  • (2022)Passtrans: An Improved Password Reuse Model Based on TransformerICASSP 2022 - 2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)10.1109/ICASSP43922.2022.9746731(3044-3048)Online publication date: 23-May-2022
  • (2021)Leet Usage and Its Effect on Password SecurityIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.305006616(2130-2143)Online publication date: 2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media