Researchers suggest ‘honeywords’ could stop password breaches

A new research paper has pointed to the possibility of using 'honeywords' as a deterrent to stop hackers gaining access to passwords.

RSA chief scientist Ari Juels and MIT professor Ronald L Rivest published a paper entitled 'Honeywords: Making Password-Cracking Detectable' last week.

In the paper, they suggest that in order to improve the security of hashed passwords, additional 'honeywords' (false or decoy passwords) can be established to help alert users when the real passwords are being tampered with.

"An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword," Mr Juels and Mr Rivest state in the paper's abstract.

"An auxiliary server (the 'honeychecker') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted."

The news may be particularly helpful for organisations considering their plan for vulnerability management, as it may provide an extra barrier of protection against cyber criminals.

Passwords can often be a flawed method of security as many users frequently choose "poor" phrases with low levels of difficulty, which means cyber criminals can often use brute force methods to crack passwords successfully.

According to Mr Juels and Mr Rivest's method, the computer system and the 'honeychecker' would form a combined basic method of "distributed security", which works by protecting critical information even when some of the systems or software has been compromised.

The research paper goes on to address other areas of concern, such as the matter of how to set up the system, how to generate honeywords, managing old passwords and policies for responding to attacks.

While the authors acknowledge that password files can still be compromised by hackers even when honeywords are used, they state that there are many benefits to consider as well, such as the flexibility and user-friendly aspect of the strategy.

"The big difference when honeywords are used is that a successful brute-force password break does not give the adversary confidence that he can log in successfully and undetected," Mr Juels and Mr Rivest write.

"The use of honeywords may be very helpful in the current environment, and is easy to implement."

As organisations increasingly rely on ICT networks for everyday business activities, it is more important than ever to ensure that your company has the benefit of a robust security framework.

When sensitive data is hacked it can lead to disastrous consequences – which is why regular penetration testing is so important.

A thorough security audit of your company will ensure that any flaws in your network security are picked up and resolved before they can be exploited by outside individuals.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s