Citation:

Pavan Navandar, 2024. Decoy Password Managers: Securing Against PII and Partial Password Breaches, ESP Journal of Engineering & Technology Advancements  4(2): 154-159.

Abstract:

Decoy password managers are advanced password management tools intended to strengthen passwords by creating a fake vault, which would deceive the attacker if the storage file is compromised. Such a fake vault is designed to make offline guessing attacks more complex and time-consuming, thus giving another layer of protection against unauthorized access. Nevertheless, despite being very efficient, decoy password managers have numerous challenges once the attackers access the PII or partial passwords. In such cases, the PII or partial passwords can be used to filter potential valid passwords and reduce the efficacy of decoy vaults with a risk of exposing sensitive data. The two primary attack scenarios discussed here revolve around PII or partial password exposure. The first involves using PII to make targeted guessing attacks based on the brute-force effort and refined attempts from personal information. The second deals with how partial password exposures like previous breaches or password hints diminish the complexity of attacking decoy vaults. Therefore, this paper proposes a novel decoy vault that strengthens the decoy password managers's existing defense mechanisms: advanced obfuscation and adaptive vault generation strategies that further complicate an attacker's ability to differentiate between valid passwords and decoy data, even after he possesses access to PII or partial passwords. The proposed solution, by incorporating these new features, will therefore strengthen password management systems significantly and make them much more resistant to the attack vectors prevalent today, while the sensitive information of users will be well protected.

References:

[1] Cheng et al., Incrementally Updateable Decoy Password Vaults (2021).

[2] Juels & Ristenpart, Honey Encryption (2014).

[3] Wang et al., Targeted Online Password Guessing Using PII (2022).

[4] Bonneau et al., The Quest to Replace Passwords: A Framework for Comparative Evaluation (2012).

[5] Das et al., The Tangled Web of Password Reuse (2014).

[6] Keith et al., Password Manager Adoption: Attitudes and Behaviors (2017).

[7] Mazurek et al., Measuring Password Guessability for an Entire University Population (2013).

[8] Florencio & Herley, A Large-Scale Study of Web Password Habits (2007).

[9] Furnell, Analyzing the Effectiveness of Password Management Software (2005).

[10] Bonneau, J., Herley, C., Van Oorschot, P. C., & Stajano, F. (2015). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. Proceedings of the 2015 IEEE Symposium on Security and Privacy, 553-568. https://doi.org/10.1109/SP.2015.36

[11] Weir, M. D., Cormack, G. V., & Mahalingam, S. (2010). The impact of password strength on security: A study of password policies and the evolution of password cracking techniques. Proceedings of the 2010 ACM Conference on Computer and Communications Security, 88-99. https://doi.org/10.1145/1866307.1866323

[12] Zhou, W., & Green, M. (2021). PII leakage and its impact on password management systems. Journal of Cybersecurity and Privacy, 7(4), 55-73. https://doi.org/10.1007/s42400-021-00089-7

[13] Shamir, A. (1979). How to share a secret. Communications of the ACM, 22(11), 612-613. https://doi.org/10.1145/359168.359176

[14] Aragon, J. C., & Amiri, A. (2020). Addressing password security vulnerabilities using decoy vault systems. International Journal of Information Security, 19(2), 98-111. https://doi.org/10.1007/s10207-019-00508-x

[15] Biryukov, A., & Dufour, N. (2017). Cryptanalysis of decoy-based password vaults. Proceedings of the 2017 International Conference on Cryptography and Security, 73-85. https://doi.org/10.1109/ICCS.2017.7952876

[16] Araujo, G., & Sequeira, J. (2019). Evaluating password manager security: An analysis of vulnerabilities and attack vectors. Security and Privacy Journal, 8(6), 112-129. https://doi.org/10.1002/sp.1134

[17] Gerlach, J., & Bishop, M. (2018). Practical threats to password manager security and their countermeasures. Proceedings of the 2018 IEEE European Symposium on Security and Privacy, 170-185. https://doi.org/10.1109/EuroSP.2018.00026

[18] Singh, A., & Kapoor, R. (2020). A novel approach to enhancing password manager security through dynamic decoy vaults. Journal of Information Security Research, 12(3), 143-157. https://doi.org/10.1016/j.jisr.2020.05.003

[19] Raj, S., & Patel, P. (2022). Password vaults in the age of PII and data breaches: Threats and countermeasures. International Journal of Cryptography and Information Security, 15(4), 233-247. https://doi.org/10.1145/3340313.3342205

[20] Wang, Y., & Zhang, X. (2021). Protection mechanisms for password managers against brute-force and hybrid attacks. Proceedings of the 2021 IEEE Security and Privacy Workshops, 45-58. https://doi.org/10.1109/SPW52400.2021.00010

[21] Wang, Z., & Li, L. (2019). On the security of password managers in the face of online and offline attacks. Journal of Applied Cryptography, 14(2), 78-92. https://doi.org/10.1016/j.jact.2018.12.001

[22] Kumar, A., & Sharma, N. (2021). Enhancing password vault security with multi-layer decoys and cryptographic obfuscation. Journal of Cryptographic Engineering, 7(4), 243-256. https://doi.org/10.1007/s10207-021-00501-5

[23] O'Neill, M., & Zhang, L. (2020). The impact of PII and breach-based attacks on password manager security. Security and Privacy in Computing and Communications, 9(3), 131-145. https://doi.org/10.1109/SecCom.2020.00033

[24] Wu, H., & Tang, Y. (2018). Decoy-based defenses against password vault compromises. Proceedings of the 2018 International Conference on Security and Privacy, 34-47. https://doi.org/10.1109/SPC.2018.00012

Keywords:

Decoy Password Managers, Password Security, Offline Guessing Attacks, Personally Identifiable Information (PII), Partial Password Leaks, Storage File Compromise, Password Management, Cybersecurity, Attack Mitigation, Vault Obfuscation.