Abstract Generating honeywords for each user’s account is an effective way to detect whether password databases are compromised. However, there are several underlying security issues associated with honeyword techniques that need to be addressed, for example, (1) How to make it more difficult for an attacker to find an accurate match of “username-real password”? (2) How to prevent the intersection attack in multiple systems caused by password reuse without reducing usability? (3) How to reduce the success rate of targeted password guessing? In this study, we first propose a “matching attack” model and find that although Erguler’s honeyword system can achieve perfect flatness, the success rate of the attacker is 100% under matching attack. Secondly, we propose a new honeyword approach named Superword that isolates the direct relationship between username and the corresponding hashed password in password files. Additional honeypots are mixed with real accounts to detect online guessing attacks. The analysis reveals that our approach makes a matching attacker difficult to find a real password from N password hashes. Since there is no connection between the username and password in password files, our honeyword system also alleviates the multiple systems intersection attack and targeted password guessing.

中文翻译：

---

Superword：实现更高安全目标的蜜语系统

摘要 为每个用户的账户生成蜜语是检测密码数据库是否被泄露的有效方法。然而，有几个与蜜字技术相关的潜在安全问题需要解决，例如，（1）如何让攻击者更难找到“用户名-真实密码”的准确匹配？（2）如何在不降低可用性的情况下防止密码复用导致的多系统交叉攻击？（3）如何降低定向猜测密码的成功率？在本研究中，我们首先提出了一种“匹配攻击”模型，发现虽然Erguler的honeyword系统可以达到完美的平坦度，但攻击者在匹配攻击下的成功率为100%。第二，我们提出了一种名为 Superword 的新蜜字方法，它隔离了密码文件中用户名和相应散列密码之间的直接关系。额外的蜜罐与真实账户混合以检测在线猜测攻击。分析表明，我们的方法使匹配的攻击者难以从 N 个密码哈希中找到真正的密码。由于密码文件中的用户名和密码之间没有联系，我们的honeyword系统也缓解了多系统交叉攻击和有针对性的密码猜测。