'Honeywords' can dupe password thieves
- By Kevin McCaney
- May 08, 2013
Agency admins looking for another way to foil hackers could consider a simple but potentially effective technique: fake passwords applied to users’ accounts that would trigger an alert if a hacker used one to try to gain access.
In a recent research paper, Ari Juels, chief scientist at RSA, and Ron Rivest, MIT professor and the R in RSA, suggested using what they call “honeywords” in an approach similar to the decoy “honeypot” accounts designed to detect attacks and lure attackers into a controlled environment.
Hackers who break into a network often steal lists of user names and passwords. And although the passwords typically are cryptographically hashed, hackers can set about cracking them and then return to access the network. The tactic has been a common element in cyber espionage and several high-profile attacks in recent years.
“An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword,” the authors write. “The attempted use of a honeyword for login sets off an alarm.”
Multiple passwords could be applied to each account, but only one of them would be legitimate. A secured auxiliary server, which they call a honeychecker, would keep track of the honeywords and identify if one of them is used. Admins could set up the honeychecker to either block access if a honeyword is used or allow the attacker to continue, perhaps to a honeypot. Either way, the admins would be aware of the attempt.
“This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password,” they write.
Juels and Rivest presented their idea as a potential alternative to making hashes more complex, which slows the authentication process for legitimate users, and to using honeypot accounts, which they said can be more easily detected because they have no legitimate user.
If nothing else, such a system could help organizations identify attacks more quickly. Ross Barrett, senior manager of security engineering at Rapid7 told PCWorld that the average time before an attack is detected is six months.
Passwords are a famously weak measure of security, not least because of people’s habit of choosing easily remembered — and easily cracked — passwords. And although efforts are afoot to do away with them altogether, they are likely to be in use for some time, so hackers will go after them. (Millions of stolen user lists end up posted online every year, and become the source of annual lists of bad passwords.) A honeyword approach to detecting and deterring attacks could be a useful extra layer of security.