Two prominent security researchers have suggested that using a decoy version of a password, known as a honeyword, could help detect when attackers are trying to gain access to websites and online services.
Ari Juels, chief scientist at RSA, and Ronald L Rivest, a Professor of Electrical Engineering and Computer Science in MIT's EECS, last week published an academic paper with the suggestion of using of honeywords alongside hashed passwords.
The pair contend that because passwords traditionally are a weak method of security, not least because of poor password choice, storing multiple possible passwords for each account holder — only one of which is genuine — on a system can help detect when an intruder tries to access a service using one of the decoy logins.
"This approach is not terribly deep, but it should be quite effective as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password. Thus, honeywords can provide a very useful layer of defence," Juels and Rivest wrote.
The suggestion is actually an extension of the idea of using "honeypot accounts" to catch intruders that gain access to hashed password lists. By having a whole fake user account, system admins can reliably see when someone tries to invert a hash from a password file and use it to log in to the system. The administrator can then raise the alarm around the log in attempt as they know no such user exists on the system. However, it is possible that the attacker can deduce which accounts are fake, meaning they can bypass the alert system.
For the honeyword system to work, a separate hardened computer system that contains the information about which passwords are legitimate and which are honeywords also needs to be used. Referred to by the researchers as a "honeychecker", this separate system would not contain hashed versions of the password or honeywords, and would instead just store randomly selected integers that indicate where in the database the real password is stored.
In a worst case scenario, if attackers also managed to gain access to the honeychecker, they would be no better off than if the honeywords approach had not been used at all and would still need to invert the hash of the real password.
In the event that the honeychecker detects an anomaly, the system should have the capability of either blocking the login, or allowing it to go ahead but silently informing an IT administrator, the researchers suggest.
The need for additional layers of security is evidenced in the number of high-profile security breaches that have happened as a result of hashed passwords being accessed.