Power of union: Federated honey password vaults against differential attack

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-23 DOI:10.1016/j.cose.2025.104592

Peng Xu , Tingting Rao , Wei Wang , Zhaojun Lu , Kaitai Liang

{"title":"Power of union: Federated honey password vaults against differential attack","authors":"Peng Xu , Tingting Rao , Wei Wang , Zhaojun Lu , Kaitai Liang","doi":"10.1016/j.cose.2025.104592","DOIUrl":null,"url":null,"abstract":"<div><div>The honey password vault is a promising method for managing user passwords and mitigating password-guessing attacks by creating plausible-looking decoy password vaults. Recently, various methods, such as Chatterjee-PCFG (IEEE S&P’15), Golla-Markov (ACM CCS’16), and Cheng-IUV (USENIX Security’21), have been proposed to construct the cornerstone of honey password vaults, known as the distribution transforming encoder (DTE). These innovations significantly enhance the security and functionality of each kind of DTE. However, our findings indicate that when users employ multiple honey password vaults of distinct DTEs to manage their passwords, a passive attacker can easily compromise user passwords by exploiting differences among those DTEs. Consequently, we propose the <em>differential attack</em> targeting existing honey password vaults. The extensive experimental results confirm the effectiveness of this attack, distinguishing real from decoy password vaults with accuracy from 99.13% to 100.00%. In response, we design a novel, collaborative approach to train DTE, called <em>federated DTE model</em>, and construct a secure honey password vault. This strategy markedly bolsters security, reducing the differential attack’s distinguishing accuracy to approximately 52.41%, nearing the ideal threshold of 50.00%. Our findings emphasize the need for collaborative strategies to maintain password security to combat advanced cyber threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104592"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002810","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The honey password vault is a promising method for managing user passwords and mitigating password-guessing attacks by creating plausible-looking decoy password vaults. Recently, various methods, such as Chatterjee-PCFG (IEEE S&P’15), Golla-Markov (ACM CCS’16), and Cheng-IUV (USENIX Security’21), have been proposed to construct the cornerstone of honey password vaults, known as the distribution transforming encoder (DTE). These innovations significantly enhance the security and functionality of each kind of DTE. However, our findings indicate that when users employ multiple honey password vaults of distinct DTEs to manage their passwords, a passive attacker can easily compromise user passwords by exploiting differences among those DTEs. Consequently, we propose the differential attack targeting existing honey password vaults. The extensive experimental results confirm the effectiveness of this attack, distinguishing real from decoy password vaults with accuracy from 99.13% to 100.00%. In response, we design a novel, collaborative approach to train DTE, called federated DTE model, and construct a secure honey password vault. This strategy markedly bolsters security, reducing the differential attack’s distinguishing accuracy to approximately 52.41%, nearing the ideal threshold of 50.00%. Our findings emphasize the need for collaborative strategies to maintain password security to combat advanced cyber threats.

查看原文本刊更多论文

联合的力量：联合蜂蜜密码库对抗差分攻击

蜜糖密码库是一种很有前途的方法，可以通过创建看似可信的诱饵密码库来管理用户密码和减轻密码猜测攻击。最近，各种方法，如Chatterjee-PCFG (IEEE S&P ' 15), Golla-Markov （ACM CCS ' 16）和Cheng-IUV (USENIX Security ' 21)，已被提出构建蜂蜜密码库的基石，称为分布转换编码器（DTE）。这些创新显著增强了各种DTE的安全性和功能性。然而，我们的研究结果表明，当用户使用不同dte的多个蜂蜜密码库来管理他们的密码时，被动攻击者可以通过利用这些dte之间的差异轻松地破坏用户的密码。因此，我们提出了针对现有蜂蜜密码库的差分攻击。大量的实验结果证实了这种攻击的有效性，区分真实和虚假密码库的准确率在99.13%到100.00%之间。为此，我们设计了一种新颖的协作方法来训练DTE，称为联邦DTE模型，并构建了一个安全的蜂蜜密码库。这种策略显著提高了安全性，将差分攻击的识别准确率降低到约52.41%，接近50.00%的理想阈值。我们的研究结果强调，需要采取协作策略来维护密码安全，以应对高级网络威胁。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.