Solving the challenges around passwords has received increasing attention, with some in the industry just recently forming the Fast Identity Online Alliance.
In a new paper, Ari Juels of EMC’s RSA security division and Ronald L. Rivest of the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology [MIT] offered their own solution – “honeywords.” The idea behind honeywords is to thwart attackers looking to circumvent authentication schemes by cracking hashed passwords.
If honeywords are used, an attacker that has obtained a file of hashed passwords and inverts the hash function cannot tell if he or she has found a user’s actual password or a honeyword.
“Our suggested approach can be viewed as extending this basic idea to all users (i.e., including the legitimate accounts), by having multiple possible passwords for each account, only one of which is genuine,” according to the report. “The others we call “honeywords.” The attempted use of a honeyword to login sets off an alarm, as an adversarial attack has been reliably detected.”
The paper focuses on a scenario where an attacker has gotten his or hands on a copy of a file with usernames and associated hashed passwords and has obtained the values of the salt or other parameters required to compute the hash function.
“In this scenario, the adversary can perform a brute force search over short or likely passwords, hashing each one (with salting if necessary) until the adversary determines the passwords for one or more users,” the paper notes. “Assuming that passwords are the only authentication mechanism in place, the adversary can then log in to the accounts of those users in a reliable and undetected manner.”
Using a ‘honeychecker’ – an auxiliary server that can distinguish the actual password from honeywords during the login process and that will set off an alert if a honeyword is used – an organization can force an attacker to either risk getting caught or attempt the additional task of compromising the honeychecker as well. The researchers assume the attacker has not achieved persistent compromise of the system and cannot view the creation of new passwords and honeywords.
“Despite their benefits over common methods for password management, honeywords aren’t a wholly satisfactory approach to user authentication,” according to the paper. “They inherit many of the well known drawbacks of passwords and something-you-know authentication more generally. Eventually, passwords should be supplemented with stronger and more convenient authentication methods… or give way to better authentication methods completely, as recently predicted by the media.”
The paper can be read in its entirety here.