Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Detecting Password Cracking With ‘Honeywords’

Solving the challenges around passwords has received increasing attention, with some in the industry just recently forming the Fast Identity Online Alliance.

Solving the challenges around passwords has received increasing attention, with some in the industry just recently forming the Fast Identity Online Alliance.

In a new paper, Ari Juels of EMC’s RSA security division and Ronald L. Rivest of the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology [MIT] offered their own solution – “honeywords.” The idea behind honeywords is to thwart attackers looking to circumvent authentication schemes by cracking hashed passwords.

If honeywords are used, an attacker that has obtained a file of hashed passwords and inverts the hash function cannot tell if he or she has found a user’s actual password or a honeyword.

Password Cracking Detection“Sometimes administrators set up fake user accounts (“honeypot accounts”), so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password then attempts to login,” according to the paper, entitled ‘Honeywords: Making Password-Cracking Detectable.’ “Since there is really no such legitimate user, the adversary’s attempt is reliably detected when this occurs. However, the adversary may be able to distinguish real usernames from fake usernames, and thus avoid being caught.”

“Our suggested approach can be viewed as extending this basic idea to all users (i.e., including the legitimate accounts), by having multiple possible passwords for each account, only one of which is genuine,” according to the report. “The others we call “honeywords.” The attempted use of a honeyword to login sets off an alarm, as an adversarial attack has been reliably detected.”

The paper focuses on a scenario where an attacker has gotten his or hands on a copy of a file with usernames and associated hashed passwords and has obtained the values of the salt or other parameters required to compute the hash function. 

“In this scenario, the adversary can perform a brute force search over short or likely passwords, hashing each one (with salting if necessary) until the adversary determines the passwords for one or more users,” the paper notes. “Assuming that passwords are the only authentication mechanism in place, the adversary can then log in to the accounts of those users in a reliable and undetected manner.”

Using a ‘honeychecker’ – an auxiliary server that can distinguish the actual password from honeywords during the login process and that will set off an alert if a honeyword is used – an organization can force an attacker to either risk getting caught or attempt the additional task of compromising the honeychecker as well. The researchers assume the attacker has not achieved persistent compromise of the system and cannot view the creation of new passwords and honeywords.

“Despite their benefits over common methods for password management, honeywords aren’t a wholly satisfactory approach to user authentication,” according to the paper. “They inherit many of the well known drawbacks of passwords and something-you-know authentication more generally. Eventually, passwords should be supplemented with stronger and more convenient authentication methods… or give way to better authentication methods completely, as recently predicted by the media.”

Advertisement. Scroll to continue reading.

The paper can be read in its entirety here.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Security awareness training firm KnowBe4 has named Bryan Palma as president and CEO effective May 5.

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.