Honeywords are decoy passwords that can be added to a credential database; if a login attempt uses a honeyword, this indicates that the site's credential database has been leaked. In this paper we explore the basic requirements for honeywords to be effective, in a threat model where the attacker knows passwords for the same users at other sites. First, we show that for user-chosen (vs. algorithmically generated, i.e., by a password manager) passwords, existing honeyword-generation algorithms largely fail to achieve reasonable tradeoffs between false positives and false negatives in this threat model. Second, we show that for users leveraging algorithmically generated passwords, state-of-the-art methods for honeyword generation will produce honeywords that are not sufficiently deceptive, yielding many false negatives. Instead, we find that only a honeyword-generation algorithm that uses the same password generator as the user can provide deceptive honeywords in this case. However, when the defender's ability to infer the generator from the (one) account password is less accurate than the attacker's ability to infer the generator from potentially many, this deception can again wane. Taken together, our results provide a cautionary note for the state of honeyword research and pose new challenges to the field.

翻译：蜜语是可以添加到凭证数据库中的诱饵密码；如果登录尝试使用蜜语，则表明该网站的凭证数据库已被泄露。本文在攻击者知道同一用户在其他网站密码的威胁模型下，探讨了蜜语有效性的基本要求。首先，我们表明，对于用户选择的密码（相对于算法生成的密码，例如密码管理器生成的密码），现有的蜜语生成算法在该威胁模型下大多无法实现假阳性与假阴性之间的合理权衡。其次，我们表明，对于使用算法生成密码的用户，最先进的蜜语生成方法会产生不够具有欺骗性的蜜语，导致大量假阴性。相反，我们发现，只有使用与用户相同密码生成器的蜜语生成算法才能在这种情况下提供具有欺骗性的蜜语。然而，当防御者从（一个）账户密码推断生成器的准确性低于攻击者从潜在多个密码推断生成器的准确性时，这种欺骗性可能再次减弱。综合来看，我们的结果为蜜语研究现状提供了警示，并给该领域提出了新的挑战。