On the Insecurity of Internally Sampled Honeyword Schemes

Honeywords are fake passwords (decoys) stored alongside real passwords to detect when password databases are leaked. This research reveals critical security flaws in honeyword schemes that generate decoys by sampling from actual user passwords (internal sampling), showing that attackers can distinguish real passwords from decoys with success rates of 3.82%–44.8% depending on their capabilities, which exceeds the intended security target of 2.50%.