The Honeywords Solution
by | May 28, 2013 | Category: Industry Trends & News
It’s rare that a week goes by without headlines of data breaches or malware attacks – or the introduction of a solution to stop them in their tracks.
The latter is increasingly important, thanks to a rash of exploits on LivingSocial, eHarmony, Sony and Evernote – all part of a long, growing list of high-profile targets.
The latest, greatest remedy is what researchers at MIT and RSA have dubbed “honeywords” – a new way to deter hackers from leveraging databases of swiped passwords for financial gain.
According to SF Gate, honeywords are fake passwords planted among an organization’s repository of real passwords. They are basically ingnored, as they don’t affect users. Axelle Aprille, Fortinet senior antivirus analyst, explains the idea is to have a list of “sweetwords” for each user login. One is the real password, or “sugarword,” while the rest are saved as honeywords. This makes hacking a much more complicated endeavor. For example, a compilation of 10 passwords incorporates one real password and nine bogus ones. If attackers steal the file of log-ins and break the encryption, there’s no way for them to know which of the passwords is the right one. If they attempt to log in with one of the nine fake ones, they’d trigger an alarm to security personnel of a potential compromise.
Thus far, the solution has been lauded. Security expert Bruce Schneier says implementation would be a fairly streamlined process if the concept were ever to be implemented. However, there are still issues. Aprille says the success of honeywords are contingent on securing the function that indicates whether a sweet word is also a sugar word. She notes it’s imperative to secure the function that generates honeywords, largely because, “it’s the solution that would make it more difficult for the attacker to tell the difference between a honeyword and a sugarword.”
The antidote would likely be a “honeychecker” system that contains all passwords – phony and legitimate – and would be able to notify the log-in mechanism only if someone used a fake password. Conversely, the mechanism would take no action if a real password was used, deterring hackers from faking server communications.
The system isn’t without its drawbacks. Even with honeywords, there’s a chance hackers could get the password list and cause disruption to the system even if they don’t know the sugarword. They could flood the system with incorrect passwords, tripping the alarm and causing the system to choke.
Critics of the system have expressed concern over issues around generating realistic enough passwords for hashing to blend with legitimate passwords. If hackers infiltrate the database containing both sets of passwords, they could detect the real ones easily if there was a disparity between honeywords and the actual passwords. What’s more, most users have personally identifying information attached to password logins and rely on the same credentials for multiple accounts. Hackers could glean personal info from one account to use as verification to access more valuable information, such as credit card numbers, from another account.
Finally, honeywords users would have to accept that any password database on their network would be increased ten-fold if they consistently applied honeyword technology to every account.
In general, security experts agree the concept presents a viable market alternative, especially when looking for a security defense aimed at supplanting cumbersome two-factor authentication mechanisms.
No solution is without flaws. Issues and vulnerabilities will emerge when a corresponding “honeyword” solution is developed and sold. But experts contend that the premise remains strong, which bodes well when attempting to disrupt hackers.
by Stefanie Hoffman | May 28, 2013 | Category: Industry Trends & News
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.