Sweetening password defences with honey

Passwords are one of the banes of an IT manager’s life.

In addition to having to keep track of them, administrators also have to ensure they are strong and figure out a way hackers can’t break into systems, steal the list and use the passwords against the organization.

The most common way is hash the passwords. But a recent academic paper has a suggestion around the idea of a honey trap: Create a list of honeywords – false passwords – associated with each person’s account that will lure a hacker who manages to get the list.

Use the honeyword to login to a system and it sets off an alarm.

“A successful brute-force password break does not give the adversary confidence that he can log in successfully and undetected,” write the authors, Ari Jules of RSA Labs and Ronald Rivest of MIT.

One way to look at it is the odds of being detected are 50-50 if each legitimate password has a single honeyword counterpart. If there’s more than one honeyword per real password, the odds increase.

For defence, the organization needs a “honeychecker,” an application database on a separate, secure server that checks for real passwords.

The advantage of the honeyword concept is it protects all users, the authors argue, because every password has a honeyword  — or multiple honeywords — counterpart.

Honeywords can be incorporated into existing password systems with few system changes and little overhead in computation and communication, argue Jules and Rivest. One thing, though – the honeywords have to look like plausible passwords (their paper has a formula for creating them.)

 It’s not a total solution to the problems of passwords – they can still be easily guessed if the user is sloppy, stolen from other locations or devices, given away in phishing  expeditions or merely seen over someone’s shoulder. That’s why the authors say it’s a useful layer of defence, especially against attempts to use passwords obtained by brute-force solving of hashed passwords.
Ultimately, they suggest, the best defence is to get rid of passwords altogether through biometics or other systems.

To read the paper, click here.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now