On the Security of Cracking-Resistant Password Vaults
Author(s): Maximilian Golla, Benedict Beuscher, Markus Dürmuth

Date: October 24 2016
Publication: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16)
Page(s): 1230 - 1241
Publisher: ACM
Source 1: https://doi.org/10.1145/2976749.2978416
Source 2: https://www.ei.rub.de/media/mobsec/veroeffentlichungen/2016/08/18/cracking-resistant_password_vaults.pdf

Abstract or Summary:
Password vaults are used to store login credentials, usually encrypted by a master password, relieving the user from memorizing a large number of complex passwords. To manage accounts on multiple devices, vaults are often stored at an online service, which substantially increases the risk of leaking the (encrypted) vault. To protect the master password against guessing attacks, previous work has introduced cracking-resistant password vaults based on Honey Encryption. If decryption is attempted with a wrong master password, they output plausible-looking decoy vaults, thus seemingly disabling offline guessing attacks. In this work, we propose attacks against cracking-resistant password vaults that are able to distinguish between real and decoy vaults with high accuracy and thus circumvent the offered protection. These attacks are based on differences in the generated distribution of passwords, which are measured using Kullback-Leibler divergence. Our attack is able to rank the correct vault into the 1.3% most likely vaults (on median), compared to 37.8% of the best-reported attack in previous work. (Note that smaller ranks are better, and 50% is achievable by random guessing.) We demonstrate that this attack is, to a certain extent, a fundamental problem with all static Natural Language Encoders (NLE), where the distribution of decoy vaults is fixed. We propose the notion of adaptive NLEs and demonstrate that they substantially limit the effectiveness of such attacks. We give one example of an adaptive NLE based on Markov models and show that the attack is only able to rank the decoy vaults with a median rank of 35.1%.

PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=L1iVp7YAqaw

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com