[Tech Sharing] A method for securing users’ password in web systems: Honeywords

Most web systems nowadays have users’ account services which are based on databases of users’ logins and passwords. To make them secure, there are already tons of encryption methods to make passwords irreversible, such as Hash method, and symmetric and asymmetric encryption methods such as AES and RSA. By using these methods, most of the websites are already quite secure against typical attacks.

However, as computing power grows plus more and more password databases are cracked, hackers could actually crack passwords faster and smarter. For example, hackers could try to brute force a hashed password from this list:

[123456, 12345, 123456789, password, iloveyou, princess, 1234567, rockyou, 12345678, abc123]

This is the top 10 passwords that users commonly choose to use. What’s more, there is actually a list of 10 million passwords sorted by emerging frequency. By brute forcing with this list, the successful rate of cracking password will surge.

In this way, Prof. Ari at Cornell Tech and Prof. Ronald at MIT proposed a method “Honeywords” to radically decrease the possibility for hackers to brute force the true passwords and make servers be able to detect bad attempts of login.

Scenario: Hackers have cracked database and got the full users’ login + hashed passwords.

Solution: Generate a list of Honeywords for each password.

Mechanism:

1. Suppose there are 10 Honeywords for each password. Instead of facing one hashed password, hackers will have to brute force 11 potential passwords and try to log in each of them to find which is the true password.
2. Whenever a hacker login with a honeyword, the system will be aware that this is a malicious login attempt to crack the password. Then the server could automatically block the IP address or even freeze the account to protect it.

Key steps:

1. Generate n Honeywords when a new user signs up.
2. Use multiple strategies to generate the Honeywords to make them harder to be distinguished and brute forced from hashed value.
3. Separate Honeyword checker into another server to keep the Honeyword list safe.
4. Auto-detect bad login attempts and freeze the accounts/IP addresses.

Link to the paper: https://people.csail.mit.edu/rivest/pubs/JR13.pdf