IOP Conference Series: Materials Science and Engineering

PAPER • OPEN ACCESS

Implementation of honeywords as a codeigniter library for a solution to

password-cracking detection
To cite this article: Ardian Budi Kusuma and Yogha Restu Pramadi 2019 IOP Conf. Ser.: Mater. Sci. Eng. 508 012134

View the article online for updates and enhancements.

This content was downloaded from IP address 182.1.63.153 on 13/01/2020 at 19:00

TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134

Implementation of honeywords as a codeigniter library for a

solution to password-cracking detection

Ardian Budi Kusuma and Yogha Restu Pramadi

Laboratory of Cryptographic Software Engineering, Sekolah Tinggi Sandi

Negara/National Crypto Institute, Bogor, Indonesia

ardianbk96@gmail.com

Abstract. Stolen files of password hashes is a common threat to web-based authentication. The
password hashes can be cracked with new methods that are considered faster and easier. The
attacker can just log-in to the system using the original password resulting from cracking
without being detected. To answer these problems, researchers has proposed methods to detect
password cracking such as honeywords. In this study we will try to implement an existing-user
honeywords scheme into the form of a CodeIgniter web-based library. Honeywords is a decoy
passwords that are used as feeds. Library of this study, is expected to be used by web
application developers as an alternative authentication library.

1. Introduction
The case of stolen and cracking password files on a website is a serious security issue. One scheme that
can detect password cracking is called honeywords [1]. Honeywords is a decoy passwords that are
stored along with the original password in the database password to protect the original
password. If the attacker succeeds in cracking and try log-in with honeywords, then password-
cracking will be detected. The new honeywords generation scheme by utilizing passwords of other
users (existing users) [2] is better than the original one [1]. To facilitate web application developers
using the honeywords scheme to detecting password-cracking, in this study honeywords scheme
will be implemented into a library based on CodeIgniter. CodeIgniter was chosen because in
addition to being the second most popular framework used in 2018 [3].

2. Related Work
In this section will be explained about the related literature which is used in this study.

2.1. Password Cracking

Password cracking is a serious security issue. This is based on several cases that are only detected when
the attacker spreads or sells them online, which generally has occurred for months or even years,
like on MySpace [4] and Dropbox [5]. After the attacker gets the hash value from the password, he

Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution
of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
Published under licence by IOP Publishing Ltd 1
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134

can just crack it with a new method that is easier and faster [6] [7] [8] . To overcome this, a
password storage scheme that can detect password-cracking is needed.

2.2. Honeywords
Honeywords was first introduced by Juels and Rivest [1] on 2013. Then on 2015, Imran [2]
introduced a new scheme that has advantages over in terms of storage, flatness and usability. So,
honeywords scheme using existing user password value by Imran [2] was chosen in this study
because it has a fairly good flatness, so it is more difficult to guess [9] and this scheme does not
require additional algorithms. In general, honeywords scheme the using existing user has 4 main
stages. The following is an explanation of each stage according to the scheme [2] described in
section 3.1.

2.3. CodeIgniter
CodeIgniter is an open source framework used to create web applications dynamically. CodeIgniter has
an MVC structure model (Model, View, Controller) so that the coding process will be more structured
and have standards. CodeIgniter was chosen because is also easy to learn, lightweight [10], and proven
to have better performance than other frameworks such as CakePHP and Laravel [11]. Some examples
of CodeIgniter-based authentication libraries that have been made include: DX Auth (by Jason
Ashdown), Ion Auth (by Ben Edmunds), Tank Auth (by Ilya Konyukhov) and Bit Auth (by Dan
Montgomery). A representation scope of the library created in this study shown in Figure 1.

Figure 1. Library scope that created in this study.

3. Implementation

3.1. Honeywords Existing User

3.1.1 Initialization. At this stage the initialization process is done by creating a username and
generating fake passwords that are used as honeywords. Also generated by random indexes from
the range [1, N], where N = 2 ^ 31-1. Figure 2 shows the initialization process scheme. In general, the
table display in the main database after the initialization process is as in file 1 and file 2. Where in file
1, there is a username and honeyindex, and in file 2, there is an index value that is paired with the
hash value of the password.

3.1.2 Registration. In the registration process, the user will enter a username and password (ex.
Admin and admin123). To get the honeywords list, the system will generate a random number as an
index of the original password and k (k = n – 1; n => index group per username ) random numbers for
honeyindex, which are obtained from the existing password index. After the registration process, the
password storage file (file 1 and 2) will change. The registration scheme is shown in Figure 3.

2
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134

3.1.3 Honeychecker. Honeychecker functions to verify whether the password used to log in is the
original password or honeywords. Honeychecker stores the username and true index value of the
username. Honeychecker examples can be seen in Figure 3.

Generate fake
password
File 2 File 1

Index Hash password Username honeyindex

12 H(𝑃12) Kucing (12, 67, . . ., 14555)
Generate random
500 H(𝑃500) Aulia (99, 500, . . ., 4009)
index [1, N]
... ... ... ...
10001 H(𝑃10001 ) polo (0, 101, . . . , 789)

Generate fake
username
Generate random
index [1, k]

Figure 2. Initialization Process.

Figure 3. Registration Process.

3.1.4 Login. The process when login, the password (𝑷𝒙) method entered will be compared to the hash
value from honeyindex in file 2 according to the username. If the password value is matched with the
hash value (H (𝑷𝒙)) then the index value will be sent to honeychecker. Honeychecker will check
whether the index value matches the intended username. If the same, then the user will be
authenticated. However, if not, then it can be said that password-cracking has occurred. This is
because, the password value entered is honeywords which should not be known by anyone.

3.2. Choosing Policy

The selection of policies in the honeywords scheme must be clearly considered. This is because
the policy selection can affect the possibility of password-cracking attacks that can be done.

3.2.1. Wrong Login. When the login process takes place if the password entered is not appropriate,
the system must respond. This is done to prevent the Brute-force attack treatment that might be carried
out by the attacker. When the error process reaches the maximum limit, the associated username will be
deactivated.

3
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134

3.2.2. Password Composition. The password requirements used in the library are basic16. This is
because basic16 is considered quite strong and easy to use by users [12]. Selection of basic16 will
also add to the unique number of passwords in the system. Thus, minimizing the similarity / repetition
of password values and minimizing the likelihood of an attacker successfully carrying out a brute-force
attack. In addition to this, the registered password does not contain the password value included in the
list of the 1000 most common passwords. If the registered password contains a word from the list, the
system will reject it.

3.2.3. Password Storage. Passwords stored in the database are not stored directly. In this study, the
password is stored using the SHA3-256 hash function by providing additional salt. Each one salt
value is only used for one password. The password storage scheme is as follows,

H (p) = SHA3-256 (password || salt)

The use of the SHA3-256 algorithm is based on the fact that the algorithm includes the latest generation
hash algorithm and no collections have been found, as in MD5 [13] and SHA1 hash algorithms [14].

3.2.4. Index function. PHP provides several random integer number generator functions. This
random integer is used to generate the index value used for honeywords. The integer value must
be random and not easy to repeat. This is to minimize the attacker in deciding the index value
and minimizing the use of the same password index value.
In this study, the random_int () function is selected. This is based on our results (on Table
1) of randomness testing using NIST 800-22 Statistical Test Suite [15], indicating that the function
proved to be random. In this testing, we use 1 million bit of 1 thousand sample.

Table 1. Result testing function random_int() with NIST 800-22.

No. Test Result Min. Value
1. Frequency 991/1000 980 Passed
2. Blockfrequency 989/1000 980 Passed
3. CumulativeSums 990.5/1000 980 Passed
4. Runs 990/1000 980 Passed
5. LongestRun 981/1000 980 Passed
6. Rank 993/1000 980 Passed
7. FFT 989/1000 980 Passed
8. NonOverlappingTemplate 990.25/1000 980 Passed
9. OverlappingTemplate 985/1000 980 Passed
10. Universal 989/1000 980 Passed
11. ApproximateEntropy 984/1000 980 Passed
12. RandomExcursion 607.6/612 598 Passed
13. RandomExcursionVariant 606.3/612 598 Passed
14. Serial 991.5/1000 980 Passed
15. LinearComplexity 987/1000 980 Passed

3.2.5. System R esponse. When the system detects honeywords in the login process, the
corresponding username will be deactivated. In addition, the system will send an email notification to
change the password and will record it in the log system.
This reaction also occurs when a brute-force attack activity is detected. Brute-force activity is
detected by the system, if the login tolerance reaches the maximum limit. The reaction from the
system is to deactivating the associated username and will send a notification to the user via
email. Admin can monitoring this occurs from the log file.

4
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134

3.3. Feature on Library

The features in the library are determined based on several prerequisites in the literature [1] and [2], as well
as banchmarking from the existing CodeIgniter authentication library. The features in the library are shown
in table 2.
Table 2. Feature on Library Honeywords
No. Feature
1 Initialitation System
2 Registration
3 Activation User
4 Login
5 Remember me
6 Password-cracking Detection
7 Brute-Force Attack Prevention
8 Forgot Password
9 Change Password
10 Logout

4. Security Testing

4.1 The Attacker Has Successfully Performed Password-Cracking

In this case, the attacker manages to get the username pair and has successfully cracked it offline so that it
gets the original value of the password hash. In the honeywords system, each username has a password
pair, so that when the attacker tries to log in and the system detects honeywords, the password cracking
event will be detected by the system. The result of the attack is that the system has detected honeywords, so
the system gives a warning to the user. The warning is in the form of an email notification as shown in
Figure 5.

Figure 4. Attack demo with Hydra. Figure 5. Email notification of password

cracking.

4.2 The Attacker Doing Brute Force Attacks

In this case, the attacker only knows the username value, but has no password value. Attackers try to
crack passwords online by brute force attacks using word lists. The system will calculate the login error, so
that the brute force attack can be detected and can be prevented by deactivated the username. Figure 7
shows the result of a username that was deactivated by the system because it was suspected that a
brute force attack occurred.

Figure 6. Brute-force attack with Hydra. FFigure 7. User is deactivating, because

bthe rute-force attack is detected.

5
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134

5. Conclusion
Based on the results of the analysis of the attacks that have been carried out, it was found that the library
system can detect password cracking by identifying the honeywords entered by the attacker.
When password-cracking is detected, the system sends notification emails to users. In addition, the
Library is also proven to prevent the treatment of brute-force attacks by attackers by blocking or
deactivating user accounts.

6. References
[1] Juels A & Rivest R. 2013 Honeywords: Making password-cracking detectable Proceedings of
the 2013 ACM SIGSAC conference on Computer & communications security (145–160)
[2] Erguler I 2015 Achieving Flatness: Selecting the Honeywords from Existing User
Passwords.
IEEE Transactions on Dependable and Secure Computing 13(2) 284–295
[3] Codeerseye.com 2018 11 Best PHP Frameworks for Modern Web Developers in 2018
(online). https://coderseye.com/best-php-frameworks-for-web-developers/. (access on 26
April 2018).
[4] Beck K 2016 Hackers are selling account credentials for 400 million Tumblr and
MySpace (online). http://mashable.com/2016/05/31/myspace-tumblr-hack. (access on 19
Desember 2017)
[5] Heim P 2017 Resetting passwords to keep your files safe
(online). https://blogs.dropbox.com/dropbox/2016/08/resetting-passwordsto-
keepyourfiles-safe/. (access on 19 Desember 2017)
[6] Houshmand S, Aggarwal S, and Flood R 2015 Next Gen PCFG Password Cracking
IEEE Transactions on Information Forensics and Security 10(8) 1776–1791.
[7] Qiu Weidong, Zheng Gong, Yidong Guo, Bozhong Liu Xiaoming Tang, Yuheng Yuan.
2013. GPU-Based High Performance Password Recovery Technique for Hash Functions
Journal of Information Science and Engineering.
[8] Tatli E 2015 Cracking More Password Hashes With Patterns. IEEE Transactions on
Information Forensics and Security 10(8) 1656–1665.
[9] Nathezhtha T and Vaidehi V 2017. Honeyword with Salt-Chlorine Generator to Enhance Security
of Cloud User Credentials. Security in Computing and Communications (746, 159–
169) Singapore: Springer Singapore.
[10] Himawan A 2014 Performance Analysis Framework Codeigniter and CakePHP in
Website Creation. International Journal of Computer Applications 94(20).
[11] Li Xiaosong Karnan Sai and Ali J 2017 An Empirical Study of Three PHP
Frameworks
International Conference on Systems and Informatics.
[12] Kelley P G, Komanduri, S, Mazurek M, Shay R., Vidas T, Bauer L, Lopez J 2012 Guess
Again (and Again and Again): Measuring Password Strength by Simulating Password-
Cracking Algorithms IEEE (523–537).
[13] Wang X, Feng D, Lai X, & Yu H 2004 Collisions for Hash Functions MD4,
MD5, HAVAL-128 and RIPEMD IACR Cryptology ePrint Archive 199.
[14] Steven M, Karpman, Albertini, and Markov Y 2017 The First Collision for Full SHA-1
Annual International Cryptology Conference - Advances in Cryptology.
[15] Rukhin A, Juan S, James N, Miles S, Elaine B, Stefan L, Mark L, Mark V, David B, Alan,
James D, San Vo 2010 A Stastistical Test Suite for Random and Pseudorandom Number
Generators for Cryptographic Applications NIST Special Publications 800-22.