Lethe: Practical Data Breach Detection with Zero Persistent Secret State

Honeywords are false passwords associated with each user account. Using a honeyword to login sets off an alarm as a data breach has been detected. Existing approaches for detecting data breaches using honeywords suffer from the need of a trusted component to tell honey-words from the valid password. Once this trusted component is compromised, then honeywords can offer no assistance for mitigating or detecting a data breach. In this paper, we present Lethe, a honeywords-based data-breach detection system that requires no trusted components, other than a trusted bootstrap, and keeps limited transient state for verifying login attempts. Lethe is based on two fundamental principles. First, Lethe generates honeywords using a Machine Learning (ML) model, which constantly evolves. This means that an attacker that compromises the Honeyword Generation Technique (HGT) cannot reproduce the same set of honeywords, and thus cannot tell which password was used as the initial generator. In particular, Lethe is the first system that allows an attacker to fully compromise the HGT without affecting the security of already generated honeywords. Second, Lethe is not aware of the valid password. In fact, for Lethe the only one that knows the actual password is the user that selected it in the first place. Lethe records login events, but without storing anywhere the password used. These login events can be further replayed in another server, which can check if, for a particular user, there were at least two different passwords used and therefore detect a data breach. Lethe allows the detection of a data breach deterministically and not probabilistically as similar approaches do. Additionally, Lethe allows detecting data breaches that are associated with rarely used accounts. Lethe can signal an alarm even if a user account that has logged in just once with the system is compromised. This is in contrast to other efforts that require legitimate users to authenticate with the system, after the attacker has done so, for detecting the breach. To demonstrate the effectiveness of Lethe, we provide a fully functional prototype, along with the ML-based HGT, and assess the provided security with a set of diverse attackers.