Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. The term “honeywords” is a play on “honeypot,” which in the information security realm refers to creating fake servers and then learning how attackers attempt to exploit them — in effect, using them to help detect more widespread intrusions inside a network. The honeywords concept is also elegant because any attacker who’s able to steal a copy of a password database won’t know if the information it contains is real or fake. An auxiliary server (the “honeychecker”) can distinguish the user password from honeywords for the login routine and will set off an alarm if a honeyword is submitted.”<\/p>\n","protected":false},"excerpt":{"rendered":"
“Sometimes administrators set up fake user accounts (“honeypot accounts”) so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password file then attempts to login,” they said.<\/p>\n
Accordingly, they recommend adding multiple fake passwords to every user account and creating a system that allows only the valid password to work and that alerts administrators whenever someone attempts to use a honeyword. “This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password,” they said.<\/p>\n
<\/p>\n
On the other hand, if numerous attempted logins are made using honeywords, or if honeyword login attempts are made to admin accounts, then it’s more likely that the password database has been stolen. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users’ passwords have been compromised. But that approach is insecure, and password-security experts have long recommended that businesses use built-for-purpose password hashing algorithms such as bcrypt, scrypt or PBKDF2, which if properly implemented are much more resistant to brute-force attacks.<\/p>\n
<\/p>\n
That’s why an early warning system such as the use of honeywords might buy breached businesses valuable time to expire passwords after a successful attack, before attackers have time to put the stolen information to use.<\/p>\n
<\/p>\n