http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-honeywords-to-the-rescue/
By Dan Goodin
Ars Technica
May 6 2013
Security experts have proposed a simple way for websites to better
secure highly sensitive databases used to store user passwords: the
creation of false "honeyword" passcodes that when entered would trigger
alarms that account hijacking attacks are underway.
The suggestion builds on the already established practice of creating
dummy accounts known as honeypot accounts. It comes as dozens of
high-profile sites watched user data become jeopardized—including
LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and
eHarmony to name just a few from the past year. Because these dummy
accounts don't belong to legitimate users of the service and are
normally never accessed, they can be used to send a warning to site
administrators when attackers are able to log in to them. The new,
complementary honeyword measure—proposed in a research paper titled
"Honeywords: Making Password-Cracking Detectable—was devised by RSA Labs
researcher Ari Juels and MIT cryptography professor Ronald Rivest, the
latter who is the "R" in the RSA cryptography scheme.
The new measure calls for a file storing cryptographically hashed
passwords to contain multiple passwords for each account, only one of
which is valid. Attackers who manage to crack the hashes would have no
way of knowing if the corresponding plain-text password is real for a
particular user. Logging into an account using one of the decoy
passwords would immediately cause a "honeychecker"—located on a
separate, hardened computer system—to issue an alert to administrators
that the database has been compromised.
"This approach is not terribly deep, but it should be quite effective,
as it puts the adversary at risk of being detected with every attempted
login using a password obtained by" cracking, the researchers wrote.
"Thus, honeywords can provide a very useful layer of defense."
[...]
______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
