"Honeywords" plan to snare password thieves
Cryptographic researchers Ari Juels and Ronald Rivest (the "R" in RSA) have come up with an interesting idea aimed at helping to detect attacks on web application databases. It is based on storing fake passwords as bait and sounding the alarm when an attempt is subsequently made to use one of these fake passwords.
The idea involves storing what they have dubbed "honeywords" for each user in the password database alongside their actual password. An attacker who gained access to the database would be unable to distinguish the honeywords, which would also be stored in the form of salted hashes, from the real password.
If attackers were then able to crack the stolen hashes, they might well use them to try to log into the associated web application. If such an attempt were made using one of the honeywords, the web application would know that the access was unauthorised – since the account's legitimate owner has no access to the honeywords, any honeyword used must have been misappropriated. In this case, the application can either block the account or trigger a silent alarm and redirect the attacker to a honeypot system, where they can safely get up to whatever mischief they wish.
Of course the idea only works as long as the server where the hashes are stored doesn't also store information on which of the hashes is the actual user password. The researchers therefore propose a separate, secure system that would be told which of the potential passwords was used during login attempts via an encrypted channel. This "honeychecker" wouldn't store any information on either passwords or honeywords, but would merely record for each user the position within the database at which the legitimate password is stored.