Here’s a way organizations can defend against hackers accessing hashed password lists through brute force attacks: Fill lists with honeywords that trip alarms
Passwords are one of the banes of an IT manager’s life.
In addition to having to keep track of them, administrators also have to ensure they are strong and figure out a way hackers can’t break into systems, steal the list and use the passwords against the organization.
The most common way is hash the passwords. But a recent academic paper has a suggestion around the idea of a honey trap: Create a list of honeywords – false passwords – associated with each person’s account that will lure a hacker who manages to get the list.
Use the honeyword to login to a system and it sets off an alarm.
“A successful brute-force password break does not give the adversary confidence that he can log in successfully and undetected,” write the authors, Ari Jules of RSA Labs and Ronald Rivest of MIT.
One way to look at it is the odds of being detected are 50-50 if each legitimate password has a single honeyword counterpart. If there’s more than one honeyword per real password, the odds increase.
For defence, the organization needs a “honeychecker,” an application database on a separate, secure server that checks for real passwords.
Honeywords can be incorporated into existing password systems with few system changes and little overhead in computation and communication, argue Jules and Rivest. One thing, though – the honeywords have to look like plausible passwords (their paper has a formula for creating them.)