HPAKE: Honey Password-authenticated Key Exchange for Fast and Safer Online Authentication

Wenting Li*, Ping Wang*, Kaitai Liang

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

39 Downloads (Pure)


Password-only authentication is one of the most popular secure mechanisms for real-world online applications. But it easily suffers from a practical threat - password leakage, incurred by external and internal attackers. The external attacker may compromise the password file stored on the authentication server, and the insider may deliberately steal the passwords or inadvertently leak the passwords. So far, there are two main techniques to address the leakage: Augmented password-authentication key exchange (aPAKE) against insiders and honeyword technique for external attackers. But none of them can resist both attacks. To fill the gap, we propose the notion of <italic>honey PAKE (HPAKE)</italic> that allows the authentication server to detect the password leakage and achieve the security beyond the traditional bound of aPAKE. Further, we build an HPAKE construction on the top of the honeyword mechanism, honey encryption, and OPAQUE which is a standardized aPAKE. We formally analyze the security of our design, achieving the insider resistance and the password breach detection. We implement our design and deploy it in the real environment. The experimental results show that our protocol only costs 71.27 ms for one complete run, within 20.67 ms on computation and 50.6 ms on communication. This means our design is secure and practical for real-world applications.

Original languageEnglish
Pages (from-to)1596-1609
Number of pages14
JournalIEEE Transactions on Information Forensics and Security
Publication statusPublished - 2023

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


  • Password
  • honeyword
  • leakage detection
  • password-authenticated key exchange


Dive into the research topics of 'HPAKE: Honey Password-authenticated Key Exchange for Fast and Safer Online Authentication'. Together they form a unique fingerprint.

Cite this