HoneyTree: Making Honeywords Sweeter

Abstract

Cyber deception is an area of cybersecurity based on building detection systems and verification models using decoys or controlled misinformation to confuse or misdirect the adversaries into revealing their presence and/or intentions. In the era of online services where our data is usually protected on the cloud relying on a secret key, even the most secure cyber systems can get compromised, losing highly confidential data to the attackers, including hashed passwords that can be cracked offline. Prior work has been done in carefully placing traps in the systems to detect intrusion activities. The Honeywords project by Juels and Rivest is the most straightforward and successful technique in detecting and deterring offline-password brute force by placing multiple plausible decoy passwords together along with the real password. In this paper, we enhance this approach and combine it with the concept of Merkle tree to build a new model called HoneyTree. Our model achieves twice the level of security as the Honeywords project at the same storage cost. We perform a detailed comparison of our approach to the original Honeywords project and analyze its pros and cons.