{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T01:51:37Z","timestamp":1764813097488,"version":"3.37.3"},"reference-count":49,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,10,4]],"date-time":"2024-10-04T00:00:00Z","timestamp":1728000000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,10,4]],"date-time":"2024-10-04T00:00:00Z","timestamp":1728000000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62172404","62172411","61972094","62202458"],"award-info":[{"award-number":["62172404","62172411","61972094","62202458"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Honey vaults are useful tools for password management. A vault usually contains usernames for each domain, and the corresponding passwords, encrypted with a master password chosen by the owner. By generating decoy vaults for incorrect master password attempts, honey vaults force attackers with the vault\u2019s storage file to engage in online verification to distinguish the real vaults, thus thwarting offline guessing attacks. However, sophisticated attackers can acquire additional information, such as personally identifiable information (PII) and partial passwords contained within the vault from various data breaches. Since many users tend to incorporate PII in their passwords, attackers may utilize PII to distinguish the real vault. Furthermore, if attackers may learn partial passwords included in the real vault, it can exclude numerous decoy vaults without the need for online verification. Indeed, both leakages pose serious threats to the security of the existing honey vault schemes. In this paper, we explore two attack variants of the inspired attack scenario, where the attacker gains access to the vault\u2019s storage file along with acquiring PII and partial passwords contained within the real vault, and design a new honey vault scheme. For security assurance, we prove that our scheme is secure against one of the aforementioned attack variants. Moreover, our experimental findings suggest enhancements in security against the other attack. In particular, to evaluate the security in multiple leakage cases where both the vault\u2019s storage file and PII are leaked, we propose several new practical attacks (called PII-based attacks), building upon the existing practical attacks in the traditional single leakage case where only the vault\u2019s storage file is compromised. Our experimental results demonstrate that certain PII-based attacks achieve a 63\u201370% accuracy in distinguishing the real vault from decoys in the best-performing honey vault scheme (Cheng et al. in Incrementally updateable honey password vaults, pp 857\u2013874, 2021). Our scheme reduces these metrics to 41\u201350%, closely approaching the ideal value of 50%.<\/jats:p>","DOI":"10.1186\/s42400-024-00236-6","type":"journal-article","created":{"date-parts":[[2024,10,4]],"date-time":"2024-10-04T01:01:19Z","timestamp":1728003679000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Honey password vaults tolerating leakage of both personally identifiable information and passwords"],"prefix":"10.1186","volume":"7","author":[{"given":"Chao","family":"An","sequence":"first","affiliation":[]},{"given":"YuTing","family":"Xiao","sequence":"additional","affiliation":[]},{"given":"HaiHang","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Han","family":"Wu","sequence":"additional","affiliation":[]},{"given":"Rui","family":"Zhang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,10,4]]},"reference":[{"key":"236_CR1","unstructured":"(2016) The password is dead, long live the password! https:\/\/www.nccgroup.trust\/uk\/about-us\/newsroom-and-events\/blogs\/2016\/october\/the-password-is-dead-long-live-the-password\/"},{"key":"236_CR2","unstructured":"(2017) Passwords are not lame and they\u2019re not dead. https:\/\/it.toolbox.com\/blogs\/itmanagement\/passwords-are-not-lameand-theyre-not-dead-heres-why-072417"},{"key":"236_CR3","unstructured":"(2018) All data breach sources. https:\/\/breachalarm.com\/allsources"},{"key":"236_CR4","unstructured":"Abdelberi C, \u00c1cs G, K\u00e2afar MA (2012) You are what you like! Information leakage through users\u2019 interests"},{"key":"236_CR5","unstructured":"Adowsett F (2016) What has been leaked: impacts of the big data breaches. https:\/\/rantfoundry.wordpress.com\/2016\/04\/19\/what-hasbeen-leaked-impacts-of-the-big-data-breaches\/"},{"key":"236_CR6","doi-asserted-by":"crossref","unstructured":"Bojinov H, Bursztein E, Boyen X et\u00a0al (2010) Kamouflage: loss-resistant password management, pp 286\u2013302","DOI":"10.1007\/978-3-642-15497-3_18"},{"key":"236_CR7","unstructured":"Bonneau J, Schechter SE (2014) Towards reliable storage of 56-bit secrets in human memory, pp 607\u2013623"},{"key":"236_CR8","doi-asserted-by":"crossref","unstructured":"Bonneau J, Herley C, van Oorschot PC et\u00a0al (2012) The quest to replace passwords: a framework for comparative evaluation of web authentication schemes, pp 553\u2013567","DOI":"10.1109\/SP.2012.44"},{"issue":"7","key":"236_CR9","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1145\/2699390","volume":"58","author":"J Bonneau","year":"2015","unstructured":"Bonneau J, Herley C, van Oorschot PC et al (2015) Passwords and the evolution of imperfect authentication. Commun ACM 58(7):78\u201387","journal-title":"Commun ACM"},{"key":"236_CR10","unstructured":"Burnett M (2016) Is there life after passwords? https:\/\/medium.com\/un-hackable\/is-there-life-after-passwords-290d50fc6f7d"},{"key":"236_CR11","doi-asserted-by":"crossref","unstructured":"Chatterjee R, Bonneau J, Juels A et\u00a0al (2015) Cracking-resistant password vaults using natural language encoders, pp 481\u2013498","DOI":"10.1109\/SP.2015.36"},{"key":"236_CR12","unstructured":"Cheng H, Zheng Z, Li W et\u00a0al (2019) Probability model transforming encoders against encoding attacks, pp 1573\u20131590"},{"key":"236_CR13","doi-asserted-by":"crossref","unstructured":"Cheng H, Li W, Wang P et\u00a0al (2021) Incrementally updateable honey password vaults, pp 857\u2013874","DOI":"10.1016\/j.neucom.2022.06.068"},{"key":"236_CR14","doi-asserted-by":"crossref","unstructured":"Das A, Bonneau J, Caesar M et\u00a0al (2014) The tangled web of password reuse","DOI":"10.14722\/ndss.2014.23357"},{"key":"236_CR15","doi-asserted-by":"crossref","unstructured":"Dong Q, Wang D, Shen Y et\u00a0al (2022) Pii-psm: a new targeted password strength meter using personally identifiable information. In: International conference on security and privacy in communication systems. Springer, pp 648\u2013669","DOI":"10.1007\/978-3-031-25538-0_34"},{"key":"236_CR16","doi-asserted-by":"crossref","unstructured":"Freeman D, Jain S, D\u00fcrmuth M et\u00a0al (2016) Who are you? A statistical approach to measuring user authenticity","DOI":"10.14722\/ndss.2016.23240"},{"key":"236_CR17","unstructured":"Goldman J (2013) Chinese hackers publish 20 million hotel reservations. http:\/\/www.esecurityplanet.com\/hackers\/chinese-hackerspublish-20-million-hotel-reservations.html"},{"key":"236_CR18","doi-asserted-by":"crossref","unstructured":"Golla M, Beuscher B, D\u00fcrmuth M (2016) On the security of cracking-resistant password vaults, pp 1230\u20131241","DOI":"10.1145\/2976749.2978416"},{"key":"236_CR19","doi-asserted-by":"crossref","unstructured":"Grassi PA, Fenton JL, Newton EM et\u00a0al (2017) Digital identity guidelines: authentication and lifecycle management. Technical report","DOI":"10.6028\/NIST.SP.800-63b"},{"key":"236_CR20","unstructured":"Hackett R (2017) Yahoo raises breach estimate to full 3 billion accounts, by far biggest known. http:\/\/fortune.com\/2017\/10\/03\/yahoo-breach-mail\/"},{"key":"236_CR21","unstructured":"Holmes A (2021) 533 million facebook users\u2019 phone numbers and personal data have been leaked online. https:\/\/www.businessinsider.com\/stolen-data-of-533-million-facebook-users-leaked-online-2021-4"},{"key":"236_CR22","doi-asserted-by":"crossref","unstructured":"Juels A, Ristenpart T (2014) Honey encryption: security beyond the brute-force bound, pp 293\u2013310","DOI":"10.1007\/978-3-642-55220-5_17"},{"key":"236_CR23","unstructured":"Kincaid J (2011) Dropbox security bug made passwords optional for four hours. https:\/\/techcrunch.com\/2011\/06\/20\/dropbox-security-bug-made-passwords-optional-for-four-hours\/"},{"key":"236_CR24","unstructured":"Kincaid J (2014) iCloud data breach: hacking and celebrity photos. https:\/\/www.forbes.com\/sites\/davelewis\/2014\/09\/02\/icloud-data-breach-hacking-and-nude-celebrity-photos\/"},{"key":"236_CR25","volume-title":"Taxicab geometry: an adventure in non-Euclidean geometry","author":"EF Krause","year":"1986","unstructured":"Krause EF (1986) Taxicab geometry: an adventure in non-Euclidean geometry. Courier Corporation"},{"issue":"5323","key":"236_CR26","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1038\/234034a0","volume":"234","author":"M Levandowsky","year":"1971","unstructured":"Levandowsky M, Winter D (1971) Distance between sets. Nature 234(5323):34\u201335","journal-title":"Nature"},{"key":"236_CR27","unstructured":"Levenshtein VI et\u00a0al (1966) Binary codes capable of correcting deletions, insertions, and reversals. In: Soviet physics doklady, Soviet Union, pp 707\u2013710"},{"key":"236_CR28","doi-asserted-by":"crossref","unstructured":"Li Y, Li Y, Chen X et\u00a0al (2022) Pg-pass: targeted online password guessing model based on pointer generator network. In: 2022 IEEE 25th international conference on computer supported cooperative work in design (CSCWD). IEEE, pp 507\u2013512","DOI":"10.1109\/CSCWD54268.2022.9776149"},{"key":"236_CR29","doi-asserted-by":"crossref","unstructured":"Ma J, Yang W, Luo M et\u00a0al (2014) A study of probabilistic password models, pp 689\u2013704","DOI":"10.1109\/SP.2014.50"},{"key":"236_CR30","doi-asserted-by":"crossref","unstructured":"Mazurek ML, Komanduri S, Vidas T et\u00a0al (2013) Measuring password guessability for an entire university, pp 173\u2013186","DOI":"10.1145\/2508859.2516726"},{"key":"236_CR31","doi-asserted-by":"crossref","unstructured":"Mignotte M (1983) How to share a secret? pp 371\u2013375","DOI":"10.1007\/3-540-39466-4_27"},{"key":"236_CR32","unstructured":"Morris C (2021) Massive data leak exposes 700 million linkedin users information. https:\/\/fortune.com\/2021\/06\/30\/linkedin-data-theft-700-million-users-personal-information-cybersecurity\/"},{"key":"236_CR33","doi-asserted-by":"crossref","unstructured":"Pal B, Daniel T, Chatterjee R et\u00a0al (2019) Beyond credential stuffing: password similarity models using neural networks, pp 417\u2013434","DOI":"10.1109\/SP.2019.00056"},{"key":"236_CR34","unstructured":"Pearman S, Zhang SA, Bauer L et\u00a0al (2019) Why people (don\u2019t) use password managers effectively. In: Fifteenth symposium on usable privacy and security (SOUPS 2019), pp 319\u2013338"},{"key":"236_CR35","unstructured":"Pham T (2015a) Anthem breached again:hackers stole credentials. http:\/\/duo.sc\/2ene0Pr"},{"key":"236_CR36","unstructured":"Pham T (2015b) Four years later, anthem breached again: Hackers stole credentials. http:\/\/duo.sc\/2ene0Pr"},{"key":"236_CR37","doi-asserted-by":"crossref","unstructured":"Pinkas B, Sander T (2002) Securing passwords against dictionary attacks, pp 161\u2013170","DOI":"10.1145\/586110.586133"},{"issue":"11","key":"236_CR38","doi-asserted-by":"publisher","first-page":"612","DOI":"10.1145\/359168.359176","volume":"22","author":"A Shamir","year":"1979","unstructured":"Shamir A (1979) How to share a secret. Commun ACM 22(11):612\u2013613","journal-title":"Commun ACM"},{"key":"236_CR39","unstructured":"Siegrist J (2015) LastPass hacked C identified early & resolved. https:\/\/blog.lastpass.com\/2015\/06\/lastpass-security-notice.html\/"},{"key":"236_CR40","unstructured":"Turner K (2016) Hacked dropbox login data of 68 million users is now for sale on the dark web. https:\/\/www.washingtonpost.com\/news\/the-switch\/wp\/2016\/09\/07\/hacked-dropbox-data-of68-million-users-is-now-or-sale-on-the-dark-web\/"},{"key":"236_CR41","unstructured":"Ur B (2016) Supporting password-security decisions with data"},{"key":"236_CR42","unstructured":"Wang D, Jian G, Huang X et\u00a0al (2014) Zipf\u2019s law in passwords. Cryptology ePrint Archive, Report 2014\/631. https:\/\/eprint.iacr.org\/2014\/631"},{"key":"236_CR43","doi-asserted-by":"crossref","unstructured":"Wang D, Zhang Z, Wang P et\u00a0al (2016) Targeted online password guessing: an underestimated threat, pp 1242\u20131254","DOI":"10.1145\/2976749.2978339"},{"key":"236_CR44","doi-asserted-by":"crossref","unstructured":"Wang D, Cheng H, Wang P et\u00a0al (2018) A security analysis of honeywords","DOI":"10.14722\/ndss.2018.23142"},{"key":"236_CR45","unstructured":"Wang D, Wang P, He D et\u00a0al (2019) Birthday, name and bifacial-security: understanding passwords of Chinese web users, pp 1537\u20131555"},{"key":"236_CR46","doi-asserted-by":"crossref","unstructured":"Wang D, Zou Y, Dong Q et\u00a0al (2022) How to attack and generate honeywords, pp 966\u2013983","DOI":"10.1109\/SP46214.2022.9833598"},{"key":"236_CR47","doi-asserted-by":"crossref","unstructured":"Weir M, Aggarwal S, de\u00a0Medeiros B et\u00a0al (2009) Password cracking using probabilistic context-free grammars, pp 391\u2013405","DOI":"10.1109\/SP.2009.8"},{"key":"236_CR48","doi-asserted-by":"crossref","unstructured":"Xie Z, Zhang M, Yin A et\u00a0al (2020) A new targeted password guessing model, pp 350\u2013368","DOI":"10.1007\/978-3-030-55304-3_18"},{"issue":"5","key":"236_CR49","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1109\/MSP.2004.81","volume":"2","author":"J Yan","year":"2004","unstructured":"Yan J, Blackwell A, Anderson R et al (2004) Password memorability and security: empirical results. IEEE Secur Privacy Mag 2(5):25\u201331","journal-title":"IEEE Secur Privacy Mag"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00236-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00236-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00236-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,4]],"date-time":"2024-10-04T01:01:47Z","timestamp":1728003707000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00236-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,4]]},"references-count":49,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["236"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00236-6","relation":{},"ISSN":["2523-3246"],"issn-type":[{"type":"electronic","value":"2523-3246"}],"subject":[],"published":{"date-parts":[[2024,10,4]]},"assertion":[{"value":"18 January 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 March 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 October 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interest"}}],"article-number":"42"}}