Password Guessing-Based Legacy-UI Honeywords Generation Strategies for Achieving Flatness

The legacy-UI honeywords generation approach is more favored due to its high usability compared to the modified-UI approach that sometimes becomes unusable in practice. However, several prior arts on legacy-UI based honeywords generation methods often fail to obtain the security standard, especially the flatness criterion. In this work, we propose two legacy-UI honeywords generation strategies based on two password guessing methods: PassGAN and Probabilistic Context-Free Grammar (PCFG). Besides, we also introduce two hybrid strategies by combining PassGAN, PCFG, and random-based methods. We empirically examine the flatness of the proposed honeywords generation strategy against Top Password (Top-PW) attack using real-world datasets, instead of only providing heuristic security arguments. The experiment results show that three of the proposed methods (the PassGAN-based and the two hybrid methods) have lower flatness value than all previous legacy-UI methods and able to meet the "perfectly flat" criterion.