Connect with us

Hi, what are you looking for?


Endpoint Security

Detecting Password Cracking With ‘Honeywords’

Solving the challenges around passwords has received increasing attention, with some in the industry just recently forming the Fast Identity Online Alliance.

Solving the challenges around passwords has received increasing attention, with some in the industry just recently forming the Fast Identity Online Alliance.

In a new paper, Ari Juels of EMC’s RSA security division and Ronald L. Rivest of the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology [MIT] offered their own solution – “honeywords.” The idea behind honeywords is to thwart attackers looking to circumvent authentication schemes by cracking hashed passwords.

If honeywords are used, an attacker that has obtained a file of hashed passwords and inverts the hash function cannot tell if he or she has found a user’s actual password or a honeyword.

Password Cracking Detection“Sometimes administrators set up fake user accounts (“honeypot accounts”), so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password then attempts to login,” according to the paper, entitled ‘Honeywords: Making Password-Cracking Detectable.’ “Since there is really no such legitimate user, the adversary’s attempt is reliably detected when this occurs. However, the adversary may be able to distinguish real usernames from fake usernames, and thus avoid being caught.”

“Our suggested approach can be viewed as extending this basic idea to all users (i.e., including the legitimate accounts), by having multiple possible passwords for each account, only one of which is genuine,” according to the report. “The others we call “honeywords.” The attempted use of a honeyword to login sets off an alarm, as an adversarial attack has been reliably detected.”

The paper focuses on a scenario where an attacker has gotten his or hands on a copy of a file with usernames and associated hashed passwords and has obtained the values of the salt or other parameters required to compute the hash function. 

“In this scenario, the adversary can perform a brute force search over short or likely passwords, hashing each one (with salting if necessary) until the adversary determines the passwords for one or more users,” the paper notes. “Assuming that passwords are the only authentication mechanism in place, the adversary can then log in to the accounts of those users in a reliable and undetected manner.”

Using a ‘honeychecker’ – an auxiliary server that can distinguish the actual password from honeywords during the login process and that will set off an alert if a honeyword is used – an organization can force an attacker to either risk getting caught or attempt the additional task of compromising the honeychecker as well. The researchers assume the attacker has not achieved persistent compromise of the system and cannot view the creation of new passwords and honeywords.

Advertisement. Scroll to continue reading.

“Despite their benefits over common methods for password management, honeywords aren’t a wholly satisfactory approach to user authentication,” according to the paper. “They inherit many of the well known drawbacks of passwords and something-you-know authentication more generally. Eventually, passwords should be supplemented with stronger and more convenient authentication methods… or give way to better authentication methods completely, as recently predicted by the media.”

The paper can be read in its entirety here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...