International Association
for Cryptologic Research

Recently, Juels and Rivest proposed honeywords (decoy pass-

words) to detect attacks against hashed password databases. For each

user account, the legitimate password is stored with several honeywords in order to sense impersonation. If honeywords are selected properly, an adversary who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing storage requirement by 20 times, the authors introduce a simple and effective solution to detection of password file disclosure events. In this study, we scrutinize the honeyword system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects honeywords from existing user passwords in the system to provide

realistic honeywords - a perfectly flat honeyword generation method - and also to reduce storage cost of the honeyword scheme.