Page 95 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 95
Passwords and Honeywords
How to detect data breaches with honeywords.
by Pedro Tavares, Founder of CSIRT.UBI & Cyber Security Blog seguranca-informatica.pt
Data breaches and information leakage are a topic that has been making headlines in recent times. Cyber
attackers take advantage of weak systems’ protection measures and obtain a great amount of information
that can be leaked onto the Internet, and many times are also sold in dark web forums. Personal
information such as emails, usernames, passwords, password representation (hash keys), personal
addresses, phone numbers, credit card numbers represent some of the information that is often obtained
by criminals when a data breach occurs.
A password representation is stored somewhere in a database when a system authentication process is
well-designed, — basically, a hash key is generated when the user registered at the first time in the
system.
Cracking a password representation — a hash key (MD5, SHA1, SHA2, etc.) - is seen these days as a
basic procedure from the attacker’s point-of-view. The guideline is known: trying to guess the password
behind the cryptographic hash through some documented techniques within the password cracking
landscape, for instance, using rainbow tables and brute-force attempts.
Due to that, passwords are seen as a poor authentication method as cyber attackers can obtain the
user’s secret in an easy way. In order to solve this problem, a mechanism to detect false system’s
authentication was proposed and developed by Ari Juels of RSA Labs and MIT Professor Ronald L.
Rivest: “We propose a simple method for improving the security of hashed passwords: the maintenance
of additional “honeywords” (false passwords) associated with each user’s account”.
95
