'Honeywords' Could Signal Breaches

Aaron Weiss, Tech Journalist / Humorist | 5/17/2013 | 11 comments

Aaron Weiss
In the wake of yet another major password security compromise that hit up to 50 million accounts at LivingSocial, a very appealing proposal published by two security researchers proposes the use of "honeywords" to enhance breach detection.

Past attacks on services like Yahoo Voices and LinkedIn have highlighted the need to strengthen the methods used to store password information on servers. As we should all know by now, anything less than salted hashes isn't good enough. But LivingSocial did use salted hashes. It will take hackers a lot of computing time to decrypt passwords from LivingSocial, but it is still possible.

Enter honeywords. As described in a research paper by Ari Juels and Ronald Rivest, honeywords would be decoy tripwire passwords linked to user accounts. Suppose that a user registers for your service and sets the password at "BlueSky72." Your system stores only a salted hash of this password in your secure database. Now suppose your system automatically generates a bunch of false passwords for this account. Imagine an algorithm that generates these false passwords from common dictionary combinations and then stores the salted hashes for them, too.

Attackers now get hold of your password hashes; perhaps they exploited some other hole and dumped your database. Your password tokens are salted and hashed, so the attackers throw your dataset at a powerful set of GPUs for brute force decoding. Thanks to your honeywords, the attackers have a new problem: They don't know which decrypted passwords are legitimate and which are decoys.

Better yet, when attackers try a decoy password against your server, a tripwire is triggered. After all, the only reason someone would use one of these decoy passwords is in an attack. At this point, your system could follow one of several paths. A silent alarm could alert administrators, potentially heading off a massive breach that makes headlines. Or the attackers could be led into a honeypot -- a protected area of the system where their actions are logged and tracked without their knowledge. This information may be useful in tracking down and/or prosecuting the perpetrators.

The honeyword strategy does raise some implementation considerations. How many honeywords should you generate for each password? The more decoy passwords there are, the larger the surface area is for your tripwire. But your database will also grow by several orders of magnitude. That could raise scale and performance issues for a service with a very large user base.

Debate has particularly grown around the question of how your system distinguishes a legitimate password from a honeyword. For example, it would be a bad idea to store a distinguishing flag in the same database as the hashes themselves. The attacker could acquire that information along with the whole database. You could create a simple database containing only flags indicating which password is genuine for each user account. In principle, this database could be stored on a separate system (perhaps even built on a different platform), reducing the likelihood of a single exploit leaking both the full database and the crucial supplemental data. But you are adding complexity to your system, and, again, there may be scale and performance issues.

An appealing alternative is to build this knowledge into your business logic. Rather than storing explicit flags for each account, you could rely on a formula to disambiguate passwords -- for example, a salt based on static information such as the username and/or registration time.

Some will argue that implementing honeywords adds a layer of complicating implementation when your effort would be better spent hardening your systems -- to secure them against database exploits and use the strongest algorithms for salted hashes. But adding layers is precisely how system security is strengthened. By using honeywords, you get a warning about an attack in its earliest stages.

And if the industry adopted honeywords on a wider scale, attackers would face a considerable amount of uncertainty over which of their stolen and decrypted passwords might set off alarms.

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 2   >   >>
JohnVerity   'Honeywords' Could Signal Breaches   5/30/2013 8:13:12 PM
Re: honeywords on the right direction
This is a fiendishly clever scheme. Reminds me of the people who came up with Trivial Pursuit. To make sure they could catch others copying their work, they salted the answers with some phony ones. I think it worked, and some people were caught.
singlemud   'Honeywords' Could Signal Breaches   5/27/2013 3:45:12 PM
Re: honeywords on the right direction
That is good point. In fact, many small companies just ignore that,when it grows big, it is too hard to fix this.
nasimson   'Honeywords' Could Signal Breaches   5/20/2013 5:48:22 PM
Re: Honey Honey
@Angelfuego: The need for additional layers of security is evidenced in the number of high-profile security breaches that have happened as a result of hashed passwords being accessed.
nasimson   'Honeywords' Could Signal Breaches   5/20/2013 5:45:34 PM
Someone who has stolen a password fil le can brute-force to search for passwords, even if honeywords are used. However, the big di erence when honeywords are used
is that a successful brute-force password break does not give the adversary con dence that he can log in successfully and undetected.

kicheko   'Honeywords' Could Signal Breaches   5/20/2013 1:01:58 PM
Re: honeywords on the right direction
looks to me like a scalable model although i would also like to see what the relative cost would be. Maybe this might restore hope to the reliability of passwords for security again.
ProgMan   'Honeywords' Could Signal Breaches   5/20/2013 6:24:01 AM
Re: honeywords on the right direction
It's definitely a strategy that caters to scale - I would think only the larger target user databases would make sense implementing such a scheme.  Seems like such an inordinate undertaking though, I would love to see a cost-risk analysis of something like this...
Zaius   'Honeywords' Could Signal Breaches   5/19/2013 11:59:50 PM
Re: honeywords on the right direction
I am not much hopeful about the trackign and prosecuting the perps. I am interested in 'tripwire' part. It may be an effective warning that soemthing is really not right and someone is preparing an attack. This would add complications, but benefits outweighs the it. In past, many security measures looked to be 'too much', but they are useful now. 
angelfuego   'Honeywords' Could Signal Breaches   5/19/2013 2:48:32 PM
Re: Honey Honey
I like the term, "honeywords." Interesting article. I am intrigued how this can help track down and prosecute the perps.
Anand   'Honeywords' Could Signal Breaches   5/18/2013 5:19:07 AM
Re : 'Honeywords' Could Signal Breaches
It will take hackers a lot of computing time to decrypt passwords from LivingSocial, but it is still possible.

@Aaron, thanks for the post. Currently it might take hackers a lot of computing time, but in future it might become very easy for them to decrypt the passowrds because quantum computers are slowly becoming reality and its very easy to decrypt passwords using quantum computers.

Ivan Schneider   'Honeywords' Could Signal Breaches   5/17/2013 2:16:02 PM
Honey Honey
Interesting idea, leading to a couple of thoughts. 

If the attacker has some of your users' passwords from other sites (or pet names, childrens' names, favorite vacation spots, etc.), they'll be able to pick out the real password from among the honeywords for those users. Given that as a starting point, they might be able to detect a pattern in how the algorithm generates honeywords.

As an alternative to generating honeywords based on dictionary combinations, the system might instead repurpose the user's older passwords. Or, just ask the user to enter a list of random words and numbers and create them that way. Although part of the design decision by the authors was to make honeypots invisible to the user, you could also argue a case for making the users aware of the practice so that they realize that the website provider is taking active steps to protect them, and that they're a part of the solution. 

As for database size: "your database will also grow by several orders of magnitude" - hmm... that implies higher-order exponential growth. I think it would just take a fixed length of incremental space (maximum honeyword length) X (# of honeywords/user) per user. No big deal. 
User Ranking: Blogger
Page 1 / 2   >   >>

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Aaron Weiss
Aaron Weiss   10/22/2013   46 comments
Obligatory old-person declaration: In my day, we were lucky to get a free pencil at school on standardized test day. At lunch, we lined up for bacon and mayonnaise sandwiches. Times were ...
Aaron Weiss   8/22/2013   65 comments
If Facebook were a character in a raunchy fraternity movie, you could picture it standing on the bar goading all the partygoers. A little bit tipsy and overconfident, Facebook shouts at ...
Aaron Weiss   7/18/2013   17 comments
Thanks to the success of the philosophy and deployment of open-source software, developers and businesses continue to create and embrace software with underlying code that is available for ...
Aaron Weiss   7/15/2013   18 comments
Reading official government reports is usually a helpful sleep aid. But last month, an audit performed by the US Department of Commerce on a malware incident response at the Economic ...
Aaron Weiss   7/12/2013   60 comments
You can hardly go a week without reading about huge dollars being thrown at a hot tech firm. To pick just one piece of low-hanging fruit, how about the $60 million recently bequeathed upon ...
Latest Archived Broadcast
In this episode, you'll learn how to stretch the limits of your private cloud -- and how to recognize the limits that can't be exceeded.
On-demand Video with Chat
IT has to deploy Server 2012 in a way that fits the architecture of its application delivery system.
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
[email protected]
Informed CIO: Dollars & Sense: Virtual Desktop Infrastructure
Cut through the VDI hype and get the full picture -- including ROI and the impact on your Data Center -- to make an informed decision about your virtual desktop infrastructure deployments.

Read the full report
Virtualization Management: Time To Get Serious
Welcome to the backside of the virtualization wave. Discover the state of virtualization management and where analysts are predicting it is heading

Read the full report
A Video Case Study – Translational Genomics Research Institute
e2 Storage Video

On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments

The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments

TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments

Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments

IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments

TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments

TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments

The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments

The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Tom Nolle
How Deep Is My Storage Hierarchy?

7|3|12   |   2:13   |   5 comments

At the GigaOM Structure conference, a startup announced a cloud and virtualization storage optimizing approach that shows there's still a lot of thinking to be done on the way storage joins the virtual world.
E2 Interview
What Other Industries Can Learn From Financial Services

6|13|12   |   02:08   |   3 comments

We asked CIO Steve Rubinow what CIOs in other industries can learn from the financial services industry about datacenter efficiency, security, and green computing.
E2 Interview
Removing Big-Data Flow Bottlenecks

6|12|12   |   02:55   |   No comments

We ask CIO Steve Rubinow what pieces of financial services infrastructure need to perform better to get traders info faster.
E2 Interview
Getting Traders the Data They Need

6|11|12   |   02:04   |   1 comment

We ask CIO Steve Rubinow: What do stock market traders need to know, how fast do they need it, and how can CIOs get it to them?
E2 Interview
Can IT Help Fix the Global Economy?

6|8|12   |   02:32   |   2 comments

We ask CIO Steve Rubinow whether today's IT can help repair the global economy (and if IT played any role in the economy's collapse).
E2 Interview
More Competitive Business via Datacenter Strategy

5|4|12   |   2:46   |   1 comment

Businesses need to be competitive, yet efficient, and both goals affect datacenter design.
E2 Interview
The Recipe for Greater Efficiency

5|3|12   |   3:14   |   2 comments

Intel supplies the best ingredients to drive greater datacenter efficiency and support new compute, storage, and networking needs.
E2 Interview
Datacenters Enabling Business Transformation

5|1|12   |   06:37   |   1 comment

Dell’s Gaurav Chand says that for the first time ever datacenter technology is truly enabling all kinds of organizations to transform their business and achieve new objectives.
Tom Nolle
Cloud Data: Big AND Persistent!

3|28|12   |   2:11   |   10 comments

We always hear about "Big" data, but a real issue in cloud storage is not just bigness but also persistence. A large data model is less complicated than a big application repository that somehow needs to be accessed. The Hadoop send-program-to-data model may be the answer.
Tom Nolle
Project Lightning Streamlines Storage

2|16|12   |   2:09   |   2 comments

EMC's Project Lightning has matured into a product set, and it's important, less because it has new features or capabilities in storage technology and management, than because it may package the state of the art in a way more businesses can deploy.
Tom Nolle
Big Data Appliance Is Big News

1|12|12   |   2:18   |   No comments

Oracle's release of a Hadoop appliance for Big Data may be a signal that we're shifting to database appliances.
Tom Nolle
Myopia Can Hurt Storage Policy

12|22|11   |   2:08   |   No comments

We're at the beginning of a cloud-driven revolution in storage, but Oracle's quarter shows that enterprises are hunkering down on old concepts because they're afraid of the costs in the near term.
Sara Peters
An Untrained User & a Mobile Medical Device

12|19|11   |   2:43   |   11 comments

Untrained end users, clueless central IT staff, and expensive mobile devices are a worrisome combination for healthcare CIOs.
Tom Nolle
Too Many Labels on 'Big Data'?

12|9|11   |   2:12   |   3 comments

However you label it, structured and unstructured information are different and will likely always require different tools.
Sara Peters
E2 Debuts New Storage Section

12|8|11   |   1:51   |   1 comment

Need strategic guidance on everything from SSDs to 100 percent virtualized datacenters? Look no further.