Networks have their honeypots to trap bad guys and now security administrators could get something sweet to root out password breaches.
"Honeywords" are false passwords that set off alarms when hackers try to use them to break into accounts.
"It's not a big idea, but it's a good idea," Ronald Rivest, a Vannevar Bush professor of computer science at MIT, told the audience Wednesday at the RSA Conference during his session, "Honeywords, A New Tool for Protection from Password Database Breach."
Rivest is one of the developers of the Honeywords technique.
It works like this: false passwords, Honeywords, are maintained along with a user's real password. If passwords are stolen and hash files are cracked the thief won't know which password associated with the account is the correct one. If the hacker tries one of the false passwords to sign-on an "alarm" sounds to alert IT that someone is trying to break into the network.
"Honeywords are a poor man's distributed security system," says Rivest. "You fake the advisory out and it either misleads him or detects he has stolen your authentication credentials."
The beauty is that there is no change on the end-user side of the equation, so there is no training. The user logs-in as always and if their password is a match, they are granted access in the expected way.
On the backend, however, there is a piece of software called a Honeychecker that aids in recognizing the false passwords and signaling an attack.
In Rivest's world, some of those 360 millioin credentials would be Honeywords. And as soon as they were used in an attempt to access the domain from which they were stolen, administrators would be notified of the siege. Honeywords won't prevent a breach, but they speed awareness of an attack and can prevent those attacks from going on for months without detection.
Rivest knows that password-hash crackers now use models or sets of real passwords to speed the cracking of hashes, so he assumes in his Honeywords world that hashes can be cracked and passwords are available in clear text.
He says fake objects that look real are time-honored counterintelligence tools.
"Honey objects seem undervalued," said Rivest, who first presented the Honeywords idea at the 2013 Association of Computer Machinery Conference on Computer and Communications Security along with Ari Juels, former chief scientist and director of RSA Laboratories and now an independent researcher.
In the Honeywords model, the enterprise authentication system stores a map that links a set of passwords to a user. The Honeychecker stores the index of the users correct password. The Honeychecker sits "downstream" in the security operations center and is not involved in the authentication itself. It only serves to check that the password is not a Honeyword. If the Honeychecker is offline or fails, the user can still log-in, although breach detection capabilities are lost.
One tactic that makes the system better is creating good Honeywords, bogus passwords that don't look like legitimate passwords to hackers.