Site icon IT World Canada

Sweetening password defences with honey

Passwords are one of the banes of an IT manager’s life.

In addition to having to keep track of them, administrators also have to ensure they are strong and figure out a way hackers can’t break into systems, steal the list and use the passwords against the organization.

The most common way is hash the passwords. But a recent academic paper has a suggestion around the idea of a honey trap: Create a list of honeywords – false passwords – associated with each person’s account that will lure a hacker who manages to get the list.

Use the honeyword to login to a system and it sets off an alarm.

“A successful brute-force password break does not give the adversary confidence that he can log in successfully and undetected,” write the authors, Ari Jules of RSA Labs and Ronald Rivest of MIT.

One way to look at it is the odds of being detected are 50-50 if each legitimate password has a single honeyword counterpart. If there’s more than one honeyword per real password, the odds increase.

For defence, the organization needs a “honeychecker,” an application database on a separate, secure server that checks for real passwords.

 
The advantage of the honeyword concept is it protects all users, the authors argue, because every password has a honeyword  — or multiple honeywords — counterpart.
RELATED CONTENT
Lost client data not encrypted
WordPress hit by botnet
the

Honeywords can be incorporated into existing password systems with few system changes and little overhead in computation and communication, argue Jules and Rivest. One thing, though – the honeywords have to look like plausible passwords (their paper has a formula for creating them.)

 It’s not a total solution to the problems of passwords – they can still be easily guessed if the user is sloppy, stolen from other locations or devices, given away in phishing  expeditions or merely seen over someone’s shoulder. That’s why the authors say it’s a useful layer of defence, especially against attempts to use passwords obtained by brute-force solving of hashed passwords.
Ultimately, they suggest, the best defence is to get rid of passwords altogether through biometics or other systems.

To read the paper, click here.

Exit mobile version