What Are Honeywords? Password Protection for Database Breaches

Introduction

Despite all the recent advancements in information security technology, the basic problem of hacking into a server or database has not been solved. Hackers and attackers can still, with relative ease and technical ability, hack into a system and cause mayhem. In response to this, two gifted researchers have proposed a method to help ameliorate this threat — honeywords.

This article will detail what honeywords are, the problem they solve, how to implement honeywords and how you can benefit from them. With careful implementation, honeywords can be used to stop the age-old hacking problem in its tracks.

The Problem

Without saying too much about the embarrassing fact that a decades-old information security issue is still an issue, using passwords for database or server authentication is not as secure as it can be. Passwords are becoming compromised at an ever-increasing rate, with users facing the brunt of whatever consequences may follow.

The numbers don’t lie about this issue. In 2012, the popular networking platform LinkedIn had over 6 million of its passwords breached, while in 2013, note organization app creator Evernote had 50 million of its passwords breached.

To this end, administrators worldwide have implemented measures in an attempt to mitigate hacker-related damage to their organizations. Chief among these measures is the use of honeypot accounts, where if one of the honeypot accounts becomes compromised an alert is sent to the administrator. The problem with this is that most times, the hackers can easily detect which accounts are honeypots by their usernames. If this is the best that the information security community can muster against attacks, clearly the best won’t do.

Proposed Solution

As a prevention and mitigation measure, MIT Professor Ronald L. Rivest and RSA Labs’ Ari Juels proposed the use of honeywords. When database passwords are stored, they (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/9mP965z-4_o/