Amid a barrage of password breaches, "honeywords" to the rescue

[Erica Absetz <erica () riskbasedsecurity com>]

http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-honeywords-to-the-rescue/

Security experts have proposed a simple way for websites to better
secure highly sensitive databases used to store user passwords: the
creation of false "honeyword" passcodes that when entered would
trigger alarms that account hijacking attacks are underway.

The suggestion builds on the already established practice of creating
dummy accounts known as honeypot accounts. It comes as dozens of
high-profile sites watched user data become jeopardized?including
LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and
eHarmony to name just a few from the past year. Because these dummy
accounts don't belong to legitimate users of the service and are
normally never accessed, they can be used to send a warning to site
administrators when attackers are able to log in to them. The new,
complementary honeyword measure?proposed in a research paper titled
"Honeywords: Making Password-Cracking Detectable?was devised by RSA
Labs researcher Ari Juels and MIT cryptography professor Ronald
Rivest, the latter who is the "R" in the RSA cryptography scheme.

The new measure calls for a file storing cryptographically hashed
passwords to contain multiple passwords for each account, only one of
which is valid. Attackers who manage to crack the hashes would have no
way of knowing if the corresponding plain-text password is real for a
particular user. Logging into an account using one of the decoy
passwords would immediately cause a "honeychecker"?located on a
separate, hardened computer system?to issue an alert to administrators
that the database has been compromised.

"This approach is not terribly deep, but it should be quite effective,
as it puts the adversary at risk of being detected with every
attempted login using a password obtained by" cracking, the
researchers wrote. "Thus, honeywords can provide a very useful layer
of defense."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.