Honeywords

Dermot Illogical · 07-05-2013 9:30am #1

http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-honeywords-to-the-rescue/
On the face of it, looks like it might have potential. Anyone any thoughts?

Khannie · 07-05-2013 10:08am

Initial thoughts: I like it.

syklops · 07-05-2013 11:13am

I like it as well. It would be a great way of populating a black list or identifying malware infected domains.

wes · 07-05-2013 4:09pm

Sounds like an excellent idea. Make that bit harder for attackers to compromise a system.

syklops · 09-05-2013 12:45pm

Would a more accurate name for them not be honey accounts?

Dermot Illogical · 09-05-2013 1:06pm

syklops wrote: »

Would a more accurate name for them not be honey accounts?

Not really. The accounts themselves would be genuine.

syklops · 09-05-2013 1:32pm

Dermot Illogical wrote: »

Not really. The accounts themselves would be genuine.

True.

09-05-2013 7:00pm

So it's an alarm system that will only work after the database has been compromised, password hashs downloaded and cracked and then a failed login on the same site with one of the Honeywords?

Surely an experienced hacker/cracker would only go for admin and privilaged accounts or just try login to the email accounts associated with the cracked passwords.

syklops · 10-05-2013 9:38am

900913 wrote: »

So it's an alarm system that will only work after the database has been compromised, password hashs downloaded and cracked and then a failed login on the same site with one of the Honeywords?

Surely an experienced hacker/cracker would only go for admin and privilaged accounts or just try login to the email accounts associated with the cracked passwords.

Good point. Also, in the article they say that the other 19 passwords would look similar to the real password so as to trick the hacker into using the honeyword. I have two problems with this.

First, humans, being fallible mistype their password all the time. "Was it a 1 at the end or a bang?", so the system would be regularly alerting when it wasn't being cracked.

The other problem I have is, if I hacked a DB of passwords, and for a number of accounts there were 20 different but similar passwords, surely that would arouse my suspicions a bit and I might just avoid those accounts.

I like the general idea, but I think more work needs to be done on the implementation.

Dermot Illogical · 10-05-2013 9:47am

Surely the idea would be that all accounts would have them, privileged included?
And they needn't be within typo territory of the correct password, just be of similar strength so that you don't have the correct one cracked hours before any of the honeywords.
On the email accounts/recovered passwords thing, you'd have 20 passwords to choose from but again only one of them may be right if password re-use was happening. The chances of success for an intruder are lowered. Of course if the intruder did get lucky going at an email account from cracked passwords they'd know which one to use on the original database

Khannie · 10-05-2013 9:54am

syklops wrote: »

First, humans, being fallible mistype their password all the time. "Was it a 1 at the end or a bang?", so the system would be regularly alerting when it wasn't being cracked.

Let's assume your password was smellysocks1, then I think it would be along the lines of (for example): antspants4, dirtyears5 and so on.

syklops wrote: »

The other problem I have is, if I hacked a DB of passwords, and for a number of accounts there were 20 different but similar passwords, surely that would arouse my suspicions a bit and I might just avoid those accounts.

The idea is that all the accounts would have them. That way you would need to avoid all the accounts (or risk setting off the alarm).

As a final line of defence I think it's a pretty nifty little idea. Really it is safest to assume that someone has access to your hashed password file and work from there.

Honeywords

Comments