Page 96 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 96
Honeywords
Honeywords are very similar to honeypots, a solution that allows the user to deceive criminals, making
them believe that they are attacking the real system. This method improves the security of hashed
passwords as described by its authors: with the use of honeywords, an adversary who steals a file of
hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword.
In this sense, when an attacker obtains a password from a password cracking process, he gets the correct
or fake password. At the time to authenticate onto the system, a notification is sent to the IT administrator
every time a fake password is submitted. For this, there is a secondary server named honeychecker that
validates true or false passwords. This server can be seen as an oracle and is isolated from the system
improving thus a additional infrastructure resilience.
How This Mechanism Works
The user John Doe starts a register in the system with the password “cyberdefensemagazine2018”. At
this moment, other password variants (honeywords) were also generated. The following information is
created and stored.
ID | Password representation (SHA1)
1 233436af8122058f3b04599f12dcd1f1f7096b56 (cyberdefensemagazine2018)
2 9017347a610d1436c1aaf52764e6578e8fc1a083 (cyber)
3 66efd9eefecf45dd64eff8e5cb2d13e005041925 (2018)
The user password is defined by the SHA1 hash key 233436af8122058f3b04599f12dcd1f1f7096b56. At
time to brute-force password representations, the hash keys with the ID 2 and 3 are reversed quickly by
the attacker, since them were generated via a weak password.
Weaker passwords are broken faster than strong passwords because they have a smaller size and a
weak complexity. For example, according to the group of honeywords defined in Figure 1, the 2018 or
cyber honeyword is quickly broken compared to the original password picked by the user
(cyberdefensemagazine2018).
96
