IE 11 is not supported. For an optimal experience visit our site on another browser.

Fake 'honeyword' passwords could be planted to trip up hackers

Honey
File photo

A new security technique thwarts evildoers online not by hiding or encrypting your password, but by giving the hackers in question too many to choose from. By storing each real password alongside many decoy "honeywords," even the most savvy hacker has a better-than-average chance of using the wrong password and triggering an alarm.

There are many, many ways to hack into a secure server or account, as the many high-profile breaches of the last few months have shown. A popular method is to get hold of an encrypted database of user names and password data, and get hard at work cracking that encryption. If that can be done successfully, the hacker then possesses a ton of working login data — they can sign in and no one will be the wiser.

The "honeyword" system adds a number of decoy passwords to the database, only one of which actually works. The rest will alert the site that someone is trying to break in.

Think of it like this: A thief is looking to rob a bank, and after working long and hard to crack the safe, he walks in — but instead of a bunch of cash, there are a dozen doors. The loot is behind one door, and all the others are alarmed. The bank manager always knows which door to use, just like the user always knows which password is correct — but the robber will have to try his luck.

It's not impenetrable by any means, but it makes the process of logging in with stolen credentials a risky one, whereas before it was perfectly safe. Now a hacker will have to think twice about trusting the passwords he's uncovered — if he uses a decoy, the game's up and all is work is for naught.

The creators of the system, Ari Juels of RSA labs and MIT's Ronald Rivest, note in their paper (PDF) that other security measures, like strong passwords and two-factor authorization, are still necessary. But "honeywords" would be fairly easy to implement, and would act as both deterrent and early warning system — so wary administrators may be installing it soon.

via Ars Technica

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.