傳統密碼，為現今網路社會最為普遍且重要的認證機制，然而隨著網路技術的發展，以及使用者經常選擇強度較為低弱的密碼以便於記憶，因此近年來密碼破解事件層出不窮，造成密碼檔案資料外洩，並且不容易被偵測到，形成極大的損失。要如何避免密碼檔案被破解，以及在密碼檔案洩漏後能夠偵查到，已經成為重要的資訊安全議題。日前，Juels 和 Rivest發表了關於密碼誘捕的論文，利用一個帳號搭配多組密碼來達到偵測非法入侵的效果。本研究探討了相關的密碼破解技術、密碼相關政策，並改良了密碼誘捕方式，提出一種新的密碼儲存方式─對映式密碼系統，將密碼以隨機排序的方式儲存，使密碼檔案既使被竊取，攻擊者也無法得知正確的密碼。不但可以減少儲存密碼額外成本，亦能夠保留密碼入侵偵測。我們將此設計實際運用於現有版本的OpenLDAP Server上，證明其可行性。

The use of traditional password is the most common and important authentication credential for today's online society. However, with the fast development of network technology and easily memorized and guessed password with low strength, password cracking events frequently occur. Consequently, the password files are leaked. The events are not easily to be detected and it results in great business losses. How to avoid password cracking and detect the event of stolen password file has become an important information security issues. Recently, Juels and Rivest published a paper about Honeyword system using one account with multiple passwords for detection of illegal intrusions. Our research explores the relevant password cracking technology and password-related policy. Accordingly, our research improves the Honeyword system proposing a new password storage mapping method by arranging passwords in a random order. If the password file is stolen, an attacker could not know any user’s correct password. This method can reduce additional space of storing passwords with ability to detect security event for stolen password files. We apply our method to the latest version of OpenLDAP Server to prove its feasibility.

[1] Fei Yu and Yulei Huang, “An Overview of Study of Passowrd Cracking,” in Proceedings of the 2015 International Conference on Computer Science and Mechanical Automation, DC, USA, pp. 25-29, 2015.
[2] Jaroslav Kadlec, David Jaros and Radek Kuchta., “Implementation of an Advanced Authentication Method Within Microsoft Active Directory Network Services,” in Proceedings of the 2010 6th International Conference on Wireless and Mobile Communications, DC, USA, pp. 38-41, 2010.
[3] 黃泓瑜, “【2017資安趨勢】資料外洩事件翻倍暴增，金融成竊資首選,” [Online]. Available: http://www.ithome.com.tw/news/111218. [Accessed 2017/05/13].
[4] M. Weir, S. Aggarwal, B. d. Medeiros and B. Glodek., “Password cracking using probabilistic context-free grammars,” IEEE Symposium on Security and Privacy, pp. 391–405, Oakland, California, USA, 2009.
[5] P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor and J. Lopez, “Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms.,” IEEE Symposium on Security and Privacy, pp. 523–537, San Francisco Bay Area, California, USA, 2012.
[6] “Password cracking. Web Site,” [Online]. Available: www.golubev.com/hashgpu.htm. [Accessed 2016/08/24].
[7] A. Juels and R. L. Rivest, “Honeywords: Making password-cracking detectable,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 145–160, Berlin, Germany,2013.
[8] Keeper, “What the Most Common Passwords of 2016 List Reveals”, [Online]. Available: https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/. [Accessed 2017/05/24].
[9] William E. Burr, Donna F. Dodson, and W. Timothy Polk., “Electronic Aut hentication Guideline – NIST Special Publication 800-63.”, Technical report, National Institute of Standards and Technology, 2006.
[10] Paul A. Grassi, James L. Fenton., Elaine M. Newton, Ray A. Perlner., Andrew R. Regenscheid, William E. Burr. and Justin P. Richer, “Digital Identity Guidelines(draft). ” NIST Special Publication 800-63, 2017.
[11] Hans Graux and Jarkko Majava., “eID Interoperability for PEGS (Pan-European eGovernment services) – Proposal for a multi-level authentication mechanism and a mapping of existing authentication mechanisms,” Technical report, EU IDABC (Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens.), 2007.
[12] OWASP., “OWASP Top 10 for 2017 Release Candidate.” [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2017_Release_Candidate. [Accessed 2017/05/15].
[13] Adams A and Martina Angela Sasse., “Users are not the enemy,” Communications of the ACM , pp.40-46, NY, USA, 1999.
[14] Anne Adams, Martina Angela Sasse and Peter Lunt., “Making passwords secure and usable,” in Proceedings of HCI on People and Computers XII, pp1-19, London, UK, 1997.
[15] M. A. Sasse, S. Brostoff and D. Weirich, “Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security,” BT technology journal, vol. 19, no. 3, pp. 122-131, 2001.
[16] L. Tam, M. Glassman and M. Vandenwauver, “The psychology of password management: a tradeoff between security and convenience,” Behaviour & Information Technology, vol. 29, no.3, pp. 233-244, 2010.
[17] Imran Erguler, “Achieving Flatness: Selecting the Honeywords from Existing User Passwords,” IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 2, pp. 284-295, 2016.
[18] OpenLDAP, “OpenLDAP Software 2.4 Administrator's Guide” [Online]. Available: https://www.openldap.org/doc/admin24/index.html. [Accessed 2017/06/15].
[19] David Malone and Kevin Maher “Investigating the distribution of password choices”, in Proceedings of the 21st international conference on World Wide Web, pp 301-310, Lyon, Franc, 2012.
[20] Facebook , “如何加強Facebook密碼強度？,” [Online]. Available: https://www.facebook.com/help/124904560921566?helpref=topq. [Accessed 2017/06/18].
[21] Microsoft, “密碼必須符合複雜性需求” [Online]. Available: https://msdn.microsoft.com/zh-tw/library/cc786468(v=ws.10).aspx. [Accessed 2017/06/18].
[22] 黃明祥、林詠章(2014)。“資訊與網路安全概論”。台北市：東華書局
[23] Gemalto, “Findings from the 2016 BREACH LEVEL INDEX.” [Online]. Available: http://breachlevelindex.com/assets/Breach-Level-Index-Report-2016-Gemalto.pdf. [Accessed 2017/07/01].
[24] 紀品志, “經常換密碼真的比較安全嗎？” [Online]. Available: https://www.bnext.com.tw/article/40638/bn-2016-08-17-035127-216. [Accessed 2017/07/19].