Sweet Password Security Strategy: Honeywords

To improve detection of database breaches, businesses should store multiple fake passwords and monitor attempts to use them, according to researchers at security firm RSA.

10 Top Password Managers (click image for slideshow)
Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information.
Thats the thinking behind the honeywords concept first proposed this month in
Honeywords: Making Password-Cracking Detectable,
a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest, who
co-invented the RSA algorithm
(hes the R).
The term honeywords is a play on honeypot, which in the information security realm refers to creating fake servers and then
learning how attackers
attempt to exploit them -- in effect, using them to help detect more widespread intrusions inside a network.
[Honeywords are] a simple but clever idea, said Bruce Schneier, chief security technology officer of BT, in a
blog post
. Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file.
The honeywords concept is also elegant because any attacker whos able to steal a copy of a password database wont know if the information it contains is real or fake. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword, Juels and Rivest pointed out. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the honeychecker) can distinguish the user password from honeywords for the login routine and will set off an alarm if a honeyword is submitted.
[ Two-factor authentication is a good first step, but its not enough. Heres why.
Twitter Two-Factor Authentication: Too Little, Too Late?
]
The researchers recommend honeywords as a step beyond creating fake accounts. Sometimes administrators set up fake user accounts (honeypot accounts) so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password file then attempts to login, they said. Since there is really no such legitimate user, the adversarys attempt is reliably detected when this occurs. But they said that attackers may find viable techniques for spotting bogus accounts.
Accordingly, they recommend adding multiple fake passwords to every user account and creating a system that allows only the valid password to work and that alerts administrators whenever someone attempts to use a honeyword. This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password, they said.
If honeyword use is detected, that doesnt mean that the password database has been compromised. Instead, attackers may simply be launching brute-force-guessing attacks against the site. On the other hand, if numerous attempted logins are made using honeywords, or if honeyword login attempts are made to admin accounts, then its more likely that the password database has been stolen.
One benefit of the RSA researchers approach is that businesses could improve their security posture without any user intervention. Honeywords arent visible to users and dont in any way change their experience when they log in using passwords, read a
related FAQ
.
The researchers acknowledge that attackers might subvert their system by launching a denial-of-service attack against a honeychecker server. In such an event, they recommend using a failsafe: if a honeychecker server becomes unavailable, temporarily allow honeywords to become valid logins.
Honeywords arent meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users passwords have been compromised. Last month, for example,
LivingSocial said that attackers stole
information relating to 50 million users, and stolen passwords were reportedly published in underground forums. Two state attorneys general are
now investigating
. In March, meanwhile,
Evernote reset all 50 million users passwords
after the companys security team discovered and blocked suspicious activity on the Evernote network.
Those are hardly isolated incidents. In the space of a single week last year, 6.5 million LinkedIn, 1.5 million eHarmony and an estimated 17 million Last.fm users
password hashes were uploaded to hacking forums
. Although security experts suspect the passwords may have been stolen as early as 2011 or 2010, the affected businesses appeared to learn about the breaches only after the hashes were posted.
Many businesses -- including Evernote -- used encryption algorithms to protect passwords, sometimes also with salt for added protection. But that approach is insecure, and password-security experts have long recommended that businesses
use built-for-purpose password hashing algorithms
such as bcrypt, scrypt or PBKDF2, which if properly implemented are much more resistant to brute-force attacks.
Regardless, no password security system is foolproof. Thats why an early warning system such as the use of honeywords might buy breached businesses valuable time to expire passwords after a successful attack, before attackers have time to put the stolen information to use.
People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital
How Hackers Fool Your Employees
issue of Dark Reading: Effective security doesnt mean stopping all attackers. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sweet Password Security Strategy: Honeywords