Incentivizing Collaboration for Detection of Credential Database Breaches

Abstract

Decoy passwords, or ``honeywords,'' alert a site to its breach if entered in a login attempt on that site. However, an attacker can identify a user-chosen password from among the decoys, without alerting the site to its breach, via credential stuffing, i.e., entering the stolen passwords at another site where a user reused her password. Prior work thus proposed that sites monitor for the entry of their honeywords at other sites, but the incentives for sites to participate in this monitoring remain unclear. In this paper, we propose and evaluate an algorithm by which sites can exchange monitoring favors. Through a model-checking analysis, we show that a site can improve its ability to detect its own breach when it increases the monitoring effort it expends for others. We quantify how key parameters impact detection effectiveness and their implications for deploying a monitoring ecosystem. Finally, we evaluate our algorithm on a breached credential dataset, demonstrating effectiveness at scale.