Professional Documents
Culture Documents
ardianbk96@gmail.com
Abstract. Stolen files of password hashes is a common threat to web-based authentication. The
password hashes can be cracked with new methods that are considered faster and easier. The
attacker can just log-in to the system using the original password resulting from cracking
without being detected. To answer these problems, researchers has proposed methods to detect
password cracking such as honeywords. In this study we will try to implement an existing-user
honeywords scheme into the form of a CodeIgniter web-based library. Honeywords is a decoy
passwords that are used as feeds. Library of this study, is expected to be used by web
application developers as an alternative authentication library.
1. Introduction
The case of stolen and cracking password files on a website is a serious security issue. One scheme that
can detect password cracking is called honeywords [1]. Honeywords is a decoy passwords that are
stored along with the original password in the database password to protect the original
password. If the attacker succeeds in cracking and try log-in with honeywords, then password-
cracking will be detected. The new honeywords generation scheme by utilizing passwords of other
users (existing users) [2] is better than the original one [1]. To facilitate web application developers
using the honeywords scheme to detecting password-cracking, in this study honeywords scheme
will be implemented into a library based on CodeIgniter. CodeIgniter was chosen because in
addition to being the second most popular framework used in 2018 [3].
2. Related Work
In this section will be explained about the related literature which is used in this study.
Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution
of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
Published under licence by IOP Publishing Ltd 1
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134
can just crack it with a new method that is easier and faster [6] [7] [8] . To overcome this, a
password storage scheme that can detect password-cracking is needed.
2.2. Honeywords
Honeywords was first introduced by Juels and Rivest [1] on 2013. Then on 2015, Imran [2]
introduced a new scheme that has advantages over in terms of storage, flatness and usability. So,
honeywords scheme using existing user password value by Imran [2] was chosen in this study
because it has a fairly good flatness, so it is more difficult to guess [9] and this scheme does not
require additional algorithms. In general, honeywords scheme the using existing user has 4 main
stages. The following is an explanation of each stage according to the scheme [2] described in
section 3.1.
2.3. CodeIgniter
CodeIgniter is an open source framework used to create web applications dynamically. CodeIgniter has
an MVC structure model (Model, View, Controller) so that the coding process will be more structured
and have standards. CodeIgniter was chosen because is also easy to learn, lightweight [10], and proven
to have better performance than other frameworks such as CakePHP and Laravel [11]. Some examples
of CodeIgniter-based authentication libraries that have been made include: DX Auth (by Jason
Ashdown), Ion Auth (by Ben Edmunds), Tank Auth (by Ilya Konyukhov) and Bit Auth (by Dan
Montgomery). A representation scope of the library created in this study shown in Figure 1.
3. Implementation
3.1.1 Initialization. At this stage the initialization process is done by creating a username and
generating fake passwords that are used as honeywords. Also generated by random indexes from
the range [1, N], where N = 2 ^ 31-1. Figure 2 shows the initialization process scheme. In general, the
table display in the main database after the initialization process is as in file 1 and file 2. Where in file
1, there is a username and honeyindex, and in file 2, there is an index value that is paired with the
hash value of the password.
3.1.2 Registration. In the registration process, the user will enter a username and password (ex.
Admin and admin123). To get the honeywords list, the system will generate a random number as an
index of the original password and k (k = n – 1; n => index group per username ) random numbers for
honeyindex, which are obtained from the existing password index. After the registration process, the
password storage file (file 1 and 2) will change. The registration scheme is shown in Figure 3.
2
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134
3.1.3 Honeychecker. Honeychecker functions to verify whether the password used to log in is the
original password or honeywords. Honeychecker stores the username and true index value of the
username. Honeychecker examples can be seen in Figure 3.
Generate fake
password
File 2 File 1
Generate fake
username
Generate random
index [1, k]
3.1.4 Login. The process when login, the password (𝑷𝒙) method entered will be compared to the hash
value from honeyindex in file 2 according to the username. If the password value is matched with the
hash value (H (𝑷𝒙)) then the index value will be sent to honeychecker. Honeychecker will check
whether the index value matches the intended username. If the same, then the user will be
authenticated. However, if not, then it can be said that password-cracking has occurred. This is
because, the password value entered is honeywords which should not be known by anyone.
3.2.1. Wrong Login. When the login process takes place if the password entered is not appropriate,
the system must respond. This is done to prevent the Brute-force attack treatment that might be carried
out by the attacker. When the error process reaches the maximum limit, the associated username will be
deactivated.
3
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134
3.2.2. Password Composition. The password requirements used in the library are basic16. This is
because basic16 is considered quite strong and easy to use by users [12]. Selection of basic16 will
also add to the unique number of passwords in the system. Thus, minimizing the similarity / repetition
of password values and minimizing the likelihood of an attacker successfully carrying out a brute-force
attack. In addition to this, the registered password does not contain the password value included in the
list of the 1000 most common passwords. If the registered password contains a word from the list, the
system will reject it.
3.2.3. Password Storage. Passwords stored in the database are not stored directly. In this study, the
password is stored using the SHA3-256 hash function by providing additional salt. Each one salt
value is only used for one password. The password storage scheme is as follows,
The use of the SHA3-256 algorithm is based on the fact that the algorithm includes the latest generation
hash algorithm and no collections have been found, as in MD5 [13] and SHA1 hash algorithms [14].
3.2.4. Index function. PHP provides several random integer number generator functions. This
random integer is used to generate the index value used for honeywords. The integer value must
be random and not easy to repeat. This is to minimize the attacker in deciding the index value
and minimizing the use of the same password index value.
In this study, the random_int () function is selected. This is based on our results (on Table
1) of randomness testing using NIST 800-22 Statistical Test Suite [15], indicating that the function
proved to be random. In this testing, we use 1 million bit of 1 thousand sample.
3.2.5. System R esponse. When the system detects honeywords in the login process, the
corresponding username will be deactivated. In addition, the system will send an email notification to
change the password and will record it in the log system.
This reaction also occurs when a brute-force attack activity is detected. Brute-force activity is
detected by the system, if the login tolerance reaches the maximum limit. The reaction from the
system is to deactivating the associated username and will send a notification to the user via
email. Admin can monitoring this occurs from the log file.
4
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134
4. Security Testing
5
TICATE 2018 IOP Publishing
IOP Conf. Series: Materials Science and Engineering 508 (2019) 012134 doi:10.1088/1757-899X/508/1/012134
5. Conclusion
Based on the results of the analysis of the attacks that have been carried out, it was found that the library
system can detect password cracking by identifying the honeywords entered by the attacker.
When password-cracking is detected, the system sends notification emails to users. In addition, the
Library is also proven to prevent the treatment of brute-force attacks by attackers by blocking or
deactivating user accounts.
6. References
[1] Juels A & Rivest R. 2013 Honeywords: Making password-cracking detectable Proceedings of
the 2013 ACM SIGSAC conference on Computer & communications security (145–160)
[2] Erguler I 2015 Achieving Flatness: Selecting the Honeywords from Existing User
Passwords.
IEEE Transactions on Dependable and Secure Computing 13(2) 284–295
[3] Codeerseye.com 2018 11 Best PHP Frameworks for Modern Web Developers in 2018
(online). https://coderseye.com/best-php-frameworks-for-web-developers/. (access on 26
April 2018).
[4] Beck K 2016 Hackers are selling account credentials for 400 million Tumblr and
MySpace (online). http://mashable.com/2016/05/31/myspace-tumblr-hack. (access on 19
Desember 2017)
[5] Heim P 2017 Resetting passwords to keep your files safe
(online). https://blogs.dropbox.com/dropbox/2016/08/resetting-passwordsto-
keepyourfiles-safe/. (access on 19 Desember 2017)
[6] Houshmand S, Aggarwal S, and Flood R 2015 Next Gen PCFG Password Cracking
IEEE Transactions on Information Forensics and Security 10(8) 1776–1791.
[7] Qiu Weidong, Zheng Gong, Yidong Guo, Bozhong Liu Xiaoming Tang, Yuheng Yuan.
2013. GPU-Based High Performance Password Recovery Technique for Hash Functions
Journal of Information Science and Engineering.
[8] Tatli E 2015 Cracking More Password Hashes With Patterns. IEEE Transactions on
Information Forensics and Security 10(8) 1656–1665.
[9] Nathezhtha T and Vaidehi V 2017. Honeyword with Salt-Chlorine Generator to Enhance Security
of Cloud User Credentials. Security in Computing and Communications (746, 159–
169) Singapore: Springer Singapore.
[10] Himawan A 2014 Performance Analysis Framework Codeigniter and CakePHP in
Website Creation. International Journal of Computer Applications 94(20).
[11] Li Xiaosong Karnan Sai and Ali J 2017 An Empirical Study of Three PHP
Frameworks
International Conference on Systems and Informatics.
[12] Kelley P G, Komanduri, S, Mazurek M, Shay R., Vidas T, Bauer L, Lopez J 2012 Guess
Again (and Again and Again): Measuring Password Strength by Simulating Password-
Cracking Algorithms IEEE (523–537).
[13] Wang X, Feng D, Lai X, & Yu H 2004 Collisions for Hash Functions MD4,
MD5, HAVAL-128 and RIPEMD IACR Cryptology ePrint Archive 199.
[14] Steven M, Karpman, Albertini, and Markov Y 2017 The First Collision for Full SHA-1
Annual International Cryptology Conference - Advances in Cryptology.
[15] Rukhin A, Juan S, James N, Miles S, Elaine B, Stefan L, Mark L, Mark V, David B, Alan,
James D, San Vo 2010 A Stastistical Test Suite for Random and Pseudorandom Number
Generators for Cryptographic Applications NIST Special Publications 800-22.