Honeywords: A Follow Up on my Previous Post

After reading my previous blog post that included an overly annoying and slightly ineffective way to detect a password breach, my friend Chris from Casaba Security sent me an paper out of MIT that more effectively treated the topic with a very similar and much better implementation.

Link to MIT paper

Basically they suggest storing multiple passwords and the real password in a separate Authentication “Honeychecker” server. Then all password authentication attempts are routed to the separate server and when a malicious user is detected using a fake password, you can deal with them accordingly.

Their model of generating passwords for the user to select as their true password would most likely be met with harsh criticism in any consumer oriented product, but for a secure environment it would be more normal.  But it is necessary to implement their false password generator, and it improves security against users reusing passwords across different domains.

Having a ‘tough nut’ sounds good in theory, but any attacker sophisticated enough to be cracking passwords can easily modify their script to ignore extremely long passwords.  But it do like their idea of throwing the attackers through a loop with false passwords.  And the automated password cracking process seems like a great place to try to insert some counter-attacking code.  Password = “;DROP DATABASE”

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>