K. Coby Wang and M. Reiter, "Bernoulli honeywords"¹

Decoy passwords, or ``honeywords,'' planted in a credential database can alert a site to its breach if ever submitted in a login attempt. To be effective, some honeywords must appear at least as likely to be user-chosen passwords as the real ones, and honeywords must be very difficult to guess without having breached the database, to prevent false breach alarms. These goals have proved elusive, however, for heuristic honeyword generation algorithms. In this paper we explore an alternative strategy in which the defender treats honeyword selection as a Bernoulli process in which each possible password (except the user-chosen one) is selected as a honeyword independently with some fixed probability. We show how Bernoulli honeywords can be integrated into two existing system designs for leveraging honeywords: one based on a honeychecker that stores the secret index of the user-chosen password in the list of account passwords, and another that does not leverage secret state at all. We show that Bernoulli honeywords enable analytic derivation of false breach-detection probabilities irrespective of what information the attacker gathers about the sites' users; that their true and false breach-detection probabilities demonstrate compelling efficacy; and that Bernoulli honeywords can even enable performance improvements in modern honeyword system designs.

#arXiv #ResearchPapers #Honeywords #BernoulliHoneywords #DatabaseSecurity

__
¹ https://arxiv.org/abs/2212.12759

I don't have many resources to bounce ideas or questions outside google.

Is using MSSQL crypto function ENCRYPTBYKEY to store passwords an ok standard? Or bad bad?
The client app has the PW for the symmetrical key hardcoded in it.

This seems and feels wrong to me?
#infosec #mssql #databasesecurity

Big news! Andreas Wolter shared.. The #AzureSQL Database #STIG was released today.

Download from the DISA website: https://public.cyber.mil/stigs/downloads/ #DatabaseSecurity #DoD

Various PostgreSQL pentesting and logging notes (pre working on a new project) that I decided to share.

Logging: https://hannahsuarez.github.io/2020/Purple-Team-Logging-Postgresql-Database-Servers/

Links to Pentesting Resources and other Notes for PostgreSQL: https://hannahsuarez.github.io/2020/Purple-Team-Pentesting-Postgres/

#databasesecurity #developer #postgresql

WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers https://thehackernews.com/2020/04/backdoor-.html #databasesecurity #databasehacking #cryptocurrency #windowsmalware #Malwareattack #MSSQLhacking #CyberAttack #hackingnews #MySQL

Marriott Suffers Second Breach Exposing Data of 5.2 Million Hotel Guests https://thehackernews.com/2020/03/marriott-data-breach.html #MarriottInternational #hotelreservations #databasesecurity #cybersecurity #CyberAttack #databreach #Privacy

User Survey 2020 Report Shows Rapid Growth In Apache Pulsar Adoption https://thehackernews.com/2020/03/apache-pulsar-application.html #cybersecuritysurvey #databasesecurity #ApachePulsar

Virgin Media Data Leak Exposes Details of 900,000 Customers https://thehackernews.com/2020/03/virgin-media-data-breach.html #databasesecurity #Telecomcompany #Telecomhacking #VirginMobile #hackingnews #VirginMedia #databreach #dataleaked

A Massive U.S. Property and Demographic Database Exposes 200 Million Records https://thehackernews.com/2020/03/us-property-records-database.html #databasebreached #databasesecurity #cybersecurity #databreach #dataleaked

App Used by Israel's Ruling Party Leaked Personal Data of All 6.5 Million Voters https://thehackernews.com/2020/02/Israeli-voter-data-leaked.html #databasesecurity #electionsoftware #electionhacking #websitesecurity #databaseleaked #cybersecurity #electionapp #databreach #Israel