Polluting Password Files Can Make Attacks Detectable: Researchers
By adding a large number of fake entries, or "honeywords," to the password database, researchers believe they can better detect attacks.When online attackers infiltrate a company's network, their first target is frequently the password file. By stealing the password file and using brute-force decryption techniques to find weak or common passwords, the attackers can build up a collection of legitimate credentials to make extending their compromise of the corporate network easier. Yet such attempts could be detected by placing fake hashes—or "honeywords"—in the password file, two researchers stated in a paper released in early May. Because attackers would not know which hashes are the real ones, they run the risk of being detected when they attempt to use any passwords recovered from the polluted password file, wrote the researchers, well-known Massachusetts Institute of Technology IT cryptographer Ron Rivest—the 'R' in RSA—and Ari Juels, a computer scientist at RSA Labs. "An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword," the authors wrote in the paper posted online. "The attempted use of a honeyword for log-in sets off an alarm." Security researchers have warned about the danger of weak passwords following past breaches. In the past year, LinkedIn lost 6.5 million hashed user passwords, Yahoo warned that another 400,000 were stolen from its servers, and LivingSocial reset 70 million passwords that may have been accessed by hackers. While companies will regularly encrypt, or hash, passwords to prevent them from being easily obtained, brute-force guessing attacks can decipher poorly chosen passwords.
Some administrators set up fake accounts with easy passwords to detect whether an attacker has successfully cracked passwords from a stolen file. Yet the researchers warn that such a technique may be detected by the attackers if they can determine which accounts are legitimate and which are fake.