What Are Honeywords? Password Protection for Database Breaches
Introduction
Despite all the recent advancements in information security technology, the basic problem of hacking into a server or database has not been solved. Hackers and attackers can still, with relative ease and technical ability, hack into a system and cause mayhem. In response to this, two gifted researchers have proposed a method to help ameliorate this threat — honeywords.
This article will detail what honeywords are, the problem they solve, how to implement honeywords and how you can benefit from them. With careful implementation, honeywords can be used to stop the age-old hacking problem in its tracks.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
The Problem
Without saying too much about the embarrassing fact that a decades-old information security issue is still an issue, using passwords for database or server authentication is not as secure as it can be. Passwords are becoming compromised at an ever-increasing rate, with users facing the brunt of whatever consequences may follow.
The numbers don’t lie about this issue. In 2012, the popular networking platform LinkedIn had over 6 million of its passwords breached, while in 2013, note organization app creator Evernote had 50 million of its passwords breached.
To this end, administrators worldwide have implemented measures in an attempt to mitigate hacker-related damage to their organizations. Chief among these measures is the use of honeypot accounts, where if one of the honeypot accounts becomes compromised an alert is sent to the administrator. The problem with this is that most times, the hackers can easily detect which accounts are honeypots by their usernames. If this is the best that the information security community can muster against attacks, clearly the best won’t do.
Proposed Solution
As a prevention and mitigation measure, MIT Professor Ronald L. Rivest and RSA Labs’ Ari Juels proposed the use of honeywords. When database passwords are stored, they are normally hashed, or scrambled, for secrecy. When a hacker steals hashed passwords, he can invert the hash to reveal the passwords. But when a honeyword is used as an account password, it generates an alert and notifies the site administrator. The idea here is that when a hacker inverts the hash, he cannot determine if the passwords revealed are a true password or a honeyword.
Simply put, if a breached network has employed honeywords and a hacker has successfully breached some database passwords, the hacker has in effect opened up a veritable minefield of passwords and may not even be aware of it.
How Are Honeywords Implemented?
Using honeywords is not a setting you can turn on or configure in your database, but rather a database itself. How it works is you pepper a password database with honeywords. This password database is then plugged into a dedicated server focused on distinguishing between honeywords and valid passwords.
As simple as this may seem, this is an overly-simplistic view and more exploring is required before you can understand the mechanics of this new information security sensation.
A Closer Look
The mechanics of honeywords can be explained as follows. The password database that hosts the honeywords will also contain what is called a honeychecker, which stores indexes of correct passwords for all accounts in the respective organization. When a user authenticates by submitting their account password, the computer system checks the submitted password against all stored passwords. The sum of all the honeywords and the valid passwords are known as sweetwords. If there is a match, the computer system sends the index of that authentication to the honeychecker for what is called verification. If the honeychecker verifies that the authentication index is correct, the user is then authenticated.
The situation is a little different when the attacker tries to breach the database. Let’s say that the attacker has successfully inverted the hash that was protecting the passwords in the password database. This gives the attacker a list of passwords and, unfortunately for the attacker, he/she does not know which password is valid and which passwords are honeywords. The attacker then submits a password that has been designated as a honeyword. The honeychecker will then throw an alarm and alert the administrator.
How is this method so effective at detecting a database breach? The effectiveness is predicated on the nature of the honeywords themselves. Honeywords are not simple, easily-hackable passwords. In fact, honeywords are rarely submitted by users on their own. When honeywords are used as login passwords, it therefore stands as a strong indicator that the password hash file has been stolen because of their rare use if properly chosen.
Benefits of Using Honeywords
Using honeywords as an information security strategy for authentication passwords comes with some serious benefits for your organization. First off, the administrator will be faced with very little work on his/her end. After creation of sweetword indexes, which can be autogenerated, the administrator can proverbially sit back and wait for password breaches to occur because honeywords will most likely set off the alarm.
Second, there is very little impact on organization systems. Aside from the actual login attempt itself, the only burden on related systems is that there will be a transmission of the sweetword index to the honeychecker. However, this is the only burden on the system. The only other action that may occur is that there will be the alarm output alerting the administrator.
Last, the organization will benefit from distributed security inherent in the use of honeywords as between the computer system and honeychecker. If any specific component of the system is compromised, the compromise will not be fatal. If an account becomes compromised, that can be easily mitigated. In the absolute worst-case scenario where both components are compromised, a new hash file will solve the issue by redefining the sweetwords used, leading to a new honeytrap for hackers.
See Infosec IQ in action
Sources
HoneyWords: Making Password-Cracking Detectable, Ari Juels and Ronald L. Rivest
Use of ‘honeywords’ can expose password crackers, PCWorld
Honeywords: A New Tool for Protection from Password Data Breach, RSA Conference 2014
In this Series
- What Are Honeywords? Password Protection for Database Breaches
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness