Incrementally updateable honey password vaults

Haibo Cheng, Wenting Li, Ping Wang*, Chao Hsien Chu, Kaitai Liang

*Corresponding author for this work

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

2 Citations (Scopus)


Password vault applications allow a user to store multiple passwords in a vault and choose a master password to encrypt the vault. In practice, attackers may steal the storage file of the vault and further compromise all stored passwords by offline guessing the master password. Honey vaults have been proposed to address the threat. By producing plausible-looking decoy vaults for wrong master passwords, honey vaults force attackers to shift offline guessing to online verifications. However, the existing honey vault schemes all suffer from intersection attacks in the multi-leakage case where an old version of the storage file (e.g., a backup) is stolen along with the current version. The attacker can offline identify the decoys and completely break the schemes. We design a generic construction based on a multi-similar-password model and further propose an incremental update mechanism. With our mechanism, the attacker cannot get any extra advantages from the old storage, and therefore degenerates to an attacker only with knowledge of the current version. To further evaluate the security in the traditional single-leakage case where only the current version is stolen, we investigate the theoretically optimal strategy for online verifications, and propose practical attacks. Targeting the existing schemes, our attacks crack 33%-55% of real vaults via only one-time online guess and achieve 85%-94% accuracy in distinguishing real vaults from decoys. In contrast, our design reduces the values of the two metrics to 2% and 58% (close to the ideal values 0% and 50%), respectively. This indicates that the attackers needs to carry out 2.8x-7.5x online verifications to break our scheme.

Original languageEnglish
Title of host publicationProceedings of the 30th USENIX Security Symposium
PublisherUSENIX Association
Number of pages18
ISBN (Electronic)9781939133243
Publication statusPublished - 2021
Event30th USENIX Security Symposium - Virtual, Online
Duration: 11 Aug 202113 Aug 2021

Publication series

NameProceedings of the 30th USENIX Security Symposium


Conference30th USENIX Security Symposium
CityVirtual, Online


Dive into the research topics of 'Incrementally updateable honey password vaults'. Together they form a unique fingerprint.

Cite this