May 16 2013

Honeywords: Password Security Gets a Little Sweeter

Researchers are proposing a new method of spiking the password punch as a way to identify hackers.

If you can catch more flies with honey, then it might make sense to catch hackers with "honeywords."

Researchers Ari Juels from RSA Labs and Ronald L. Rivest from MIT put together a paper that floats an idea that would have companies purposely inserting false passwords, which they call honeywords, into their databases, allowing those passwords to activate an alert if a hacker has gained access to the databases, reports PC World.

In their paper, the two IT security experts give a brief explanation of how the method would work:

We suggest a simple method for improving the security of hashed passwords: the maintenance of additional "honeywords" (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword.

The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the "honeychecker") can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

Although honeywords won’t prevent data breaches or hacks, they can be identified faster with honeywords in place. This is critical, because a breach that goes undetected can expose organizations to untold damages.

In a way, honeywords would be the cryptographic equivalent of the die packs that banks use to alert authorities and identify criminals.

But what happens if a user types in the wrong password and sets off a honeyword by accident? Juels and Rivest recommend using different password tails to prevent such a mix-up from happening:

With tail-tweaking, it could thus be helpful if the password tail were quite different from the honeyword tails, so a typing error won't turn the password into a honeyword. (The honeyword tails should also be quite different from each other, so the password doesn't stand out as the "sweetword" that is the "most different" from the others.)

While the use of honeywords is hardly a foolproof idea, it does take the forward-thinking view that breaches will happen, so strive to diminish the damage as quickly as possible.

If honeywords help databases identify breaches, your company could become “smarter than the average bear.”