Computer Security: ‘Honeywords’: Creating a Fake Password Honeypot

data-securityHacked accounts and stolen passwords are a nuisance to consumers—and they can be extremely costly if not detected early on as part of a computer security policy. For companies, if their database (with all their passwords) gets hacked, it may very well spell disaster. Just think about the LinkedIn hack—Russian cybercriminals making off with the passwords to 6.5 million user accounts. Ouch.

To protect themselves, companies and service providers have routinely adopted the strategy of using ever-more-complex passwords. On top of that, firms have used ‘salting’ and ‘hashing’ techniques to protect their password databases. This means that when a password gets stolen, it will be changed automatically by an algorithm, foiling the evil-doers. So no harm can be done, right? Well, that’s the theory. When the system detects a breach, hashing is activated. And when a security breach has been discovered, companies will normally decide to change all the passwords. Just in case.

But now we’re getting to the heart of the problem: Many breaches of security are not detected. And how could they be: some malicious codes can intercept and reverse the hashing algorithms.

One trick that has been used in the past was the creation of fake accounts, so called ‘honey accounts’. They are monitored, and whenever they are being used, it is clear that the passwords have been stolen. Unfortunately, it has become rather easy for hackers to find out which accounts are fake.

Now researchers Ari Juels from RSA Labs and Ronald L. Rivest from MIT have come up with a simple but quite clever idea: Honeywords, or fake passwords. A large number of these are inserted in the password database. The user won’t notice a thing—it is only to intercept hackers. A so-called ‘honeychecker’ server monitors all the honeywords, and whenever one of them is used to try to get access to an account, an alarm is sent to the company. (The honeywords don’t actually work of course, they are fake).

The company then knows that its security has been breached and can take appropriate steps. However, the honeywords must be very cleverly thought out—they must be different enough from the real passwords so that a typo won’t set off the alarm, but they must be similar enough to passwords to be able to fool a potential hacker.

Honeywords aren’t perfect: DOS (Denial of Service) attacks can be used to get around them. But they’re one more (tempting-but-sticky) stumbling block for hackers.