Table of Contents
Fetching ...

Advancing Honeywords for Real-World Authentication Security

Sudiksha Das, Ashish Kundu

TL;DR

The paper addresses the gap between the theoretical promise of Honeywords and real-world deployment by analyzing attacker models, decoy generation, and honeychecker architectures, and by identifying deployment, integration, and policy reliability as the main barriers. It emphasizes the role of high $\varepsilon$-flatness in resisting statistical filtering and surveys empirical results that quantify attacker resilience across schemes. The authors propose a practical framework featuring middleware integration, isolated honeycheckers, adaptive decoy generation, and automated policy validation to bridge research and production. Collectively, the work provides a concrete roadmap for moving Honeywords from academic concept to deployable security tooling within modern authentication ecosystems.

Abstract

Introduced by Juels and Rivest in 2013, Honeywords, which are decoy passwords stored alongside a real password, appear to be a proactive method to help detect password credentials misuse. However, despite over a decade of research, this technique has not been adopted by major authentication platforms. This position paper argues that the core concept of Honeywords has potential but requires more research on issues such as flatness, integration, and reliability, in order to be a practical deployable solution. This paper examines the current work on Honeyword generation, attacker modeling, and honeychecker architecture, analyzing the subproblems that have been addressed and ongoing issues that prevent this system from being more widely used. The paper then suggests a deployable framework that combines the attacker-resilient, context-aware decoy creation that Honeywords provide with easy integration into existing systems. Honeywords will only move from an academic idea to a practical security tool if technical advances are paired with secure and straightforward architectures, along with adaptive response handling and detailed configuration checks.

Advancing Honeywords for Real-World Authentication Security

TL;DR

The paper addresses the gap between the theoretical promise of Honeywords and real-world deployment by analyzing attacker models, decoy generation, and honeychecker architectures, and by identifying deployment, integration, and policy reliability as the main barriers. It emphasizes the role of high -flatness in resisting statistical filtering and surveys empirical results that quantify attacker resilience across schemes. The authors propose a practical framework featuring middleware integration, isolated honeycheckers, adaptive decoy generation, and automated policy validation to bridge research and production. Collectively, the work provides a concrete roadmap for moving Honeywords from academic concept to deployable security tooling within modern authentication ecosystems.

Abstract

Introduced by Juels and Rivest in 2013, Honeywords, which are decoy passwords stored alongside a real password, appear to be a proactive method to help detect password credentials misuse. However, despite over a decade of research, this technique has not been adopted by major authentication platforms. This position paper argues that the core concept of Honeywords has potential but requires more research on issues such as flatness, integration, and reliability, in order to be a practical deployable solution. This paper examines the current work on Honeyword generation, attacker modeling, and honeychecker architecture, analyzing the subproblems that have been addressed and ongoing issues that prevent this system from being more widely used. The paper then suggests a deployable framework that combines the attacker-resilient, context-aware decoy creation that Honeywords provide with easy integration into existing systems. Honeywords will only move from an academic idea to a practical security tool if technical advances are paired with secure and straightforward architectures, along with adaptive response handling and detailed configuration checks.
Paper Structure (36 sections, 1 equation, 3 figures, 6 tables)

This paper contains 36 sections, 1 equation, 3 figures, 6 tables.

Figures (3)

  • Figure 1: Success probabilities for three Honeyword generation schemes (Wang 2022, Erguler 2015, Bhise & Jagtap 2017) across attacker models A1--A4. Attacker-aware methods significantly reduce compromise rates, especially in the most capable A4 model. Sources: erguler2015achievingwang2022attacker.
  • Figure 2: Proposed Honeyword-augmented authentication architecture that integrates seamlessly into Django and OAuth2 flows via framework-specific hooks (ex. Django custom authentication backends, OAuth2 pre-token issuance plugins).
  • Figure 3: Relationship between $\epsilon$-flatness and attacker guessability for an A2-level attacker. Higher flatness reduces guessability, but improvements beyond $\epsilon=0.9$ yield diminishing returns, suggesting that deployment focus should shift to integration and adaptive detection at that point. Sources: erguler2015achievingwang2022attacker.