Honeywords — Honeypot Passwords

← Back to Stories (view on slashdot.org)

Honeywords — Honeypot Passwords

Posted by Soulskill on Wednesday May 8, 2013 @08:15AM from the oh-bother dept.

CowboyRobot writes "Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. That's the thinking behind the 'honeywords' concept first proposed this month in 'Honeywords: Making Password-Cracking Detectable (PDF),' a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest (the 'R' in 'RSA'). Honeywords aren't meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users' passwords have been compromised."

27 of 110 comments (clear)

Min score:

Reason:

Sort:

This... is a very good idea. by Nadaka · 2013-05-08 08:20 · Score: 3, Insightful

It really is.
1. Re:This... is a very good idea. by marcosdumay · 2013-05-08 08:31 · Score: 4, Interesting
  
  It's an interesting and intriguing idea, yeah. But I still didn't settle on "good".
  How is an attacker supposed to get such passwords? He certainly can't phish them or get them in transit or while in memory. We are protecting against the password database leaking, but then, it's a set of salted hashes, so it's useless for the attacker... Unless it's something so easy to crack that you can be sure that it'll get cracked, but then, you are probably receiving several login attempts with those passwords already.
  
  --
  Rethinking email
2. Re:This... is a very good idea. by djmurdoch · 2013-05-08 08:42 · Score: 5, Insightful
  
  It's exactly intended to detect theft of your password database. If you salt in a known way, then it's inconvenient for the attacker, but it's still possible to brute force it. And if there's a bug in whatever hashing scheme you used, it might be easy.
  Wouldn't you like to know when someone has done that?
3. Re:This... is a very good idea. by hairyfeet · 2013-05-08 09:02 · Score: 2
  
  Nice to see I'm not the only one scratching my head trying to figure out WHY you would want to do this instead of...you know,actually doing it smart by using salted hashes? I mean correct me if I'm wrong but I thought the whole point was to make it so even if they got it they couldn't use it because it would take too long to decrypt, so how exactly would these "honeywords" work, unless you suspect somebody on the inside is stealing from you in which case i think you have bigger problems.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:This... is a very good idea. by Nemyst · 2013-05-08 09:05 · Score: 2
  
  It is a good idea. It takes very little effort, it's compatible with every possible backend, and it's an additional warning for when things go awry. Remember, you never plan for things to go wrong.
5. Re:This... is a very good idea. by eddy · 2013-05-08 09:12 · Score: 3, Insightful
  
  You'd do it because salted passwords are falling to increasing GPU power. It's a brand new world.
  
  --
  Belief is the currency of delusion.
6. Re:This... is a very good idea. by Cormacus · 2013-05-08 09:39 · Score: 4, Insightful
  
  I think the point is that this method doesn't actually prevent any of the breaches that best practices (salting, using a strong hash alg, etc) protect against; rather it provides early warning that your best practices failed. If any one of your honeypot passwords get used, immediately shut everything down ala Madagascar then find and fix the hole the hackers used.
  
  --
  Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
7. Re:This... is a very good idea. by LordLimecat · 2013-05-08 09:45 · Score: 4, Informative
  
  Salts and hashing algorithms arent supposed to be secret. The only requirement for the salt is that it be unique, and the only requirement for the hashing algo is that it be secure.
8. Re:This... is a very good idea. by GLMDesigns · 2013-05-08 10:11 · Score: 2
  
  I think this is an excellent idea. I've been using versions of this for years and it's come in useful.
  
  This is an early warning system in case things go wrong. And things do go wrong even when competent and paying attention to best practices.
  
  --
  If you're scared of your govt then you need to further restrict its powers
  Vote 3rd Party in 2016 and beyond
9. Re:This... is a very good idea. by ShanghaiBill · 2013-05-08 10:34 · Score: 2
  
  I mean correct me if I'm wrong but
  You are wrong. Good security is characterized by defense in depth. Adding another layer of defense is usually better than just trying to strengthen an existing layer. Of course you should use salted passwords. That is good practice, but there are a number of ways that it could fail.
  
  unless you suspect somebody on the inside is stealing from you in which case i think you have bigger problems.
  Really? What is a "bigger problem" than the cost of the lawsuits, lost customers, and PR disaster that would result from an insider stealing your customers' sensitive data?
10. Re:This... is a very good idea. by rickb928 · 2013-05-08 11:10 · Score: 5, Interesting
  
  I've done this for more than a decade. I first heard about this in database development, seeding the subscription table, for instance, with fake subscribers to both test that delivery was made ( I and my address was one of the fakes) and to catch thieves using the list. Virtually every mailing list I've handled has had trap users in it. Every mail server I've built has had traps in it both to verify spam and catch the thieves.
  This is virtually BAU for me and my fellow admins on servers that we maintain. Trap users and such are very handy. I usually have a few users with no shell or anything on the server(s) just to catch this, and log analyzers that watch and report.
  And I expect we'll get pwned again some day. It used to be script kiddies pretending to be ninjas haxrs, but nowadays it's mostly random attackers that hate me, or generic botnet and compromisers by the tens of thousands. Sometimes I would rather not run a mail server.
  Fortunately, the last few times we've had trouble, I was able to trace back close to the offenders. The university network guys were marginally interested, but the ISP in the southeastern US took action. I don't expect them to do that again, so I just watch and wait.
  But trap users, seeding honeywords, very good ideas.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
11. Re:This... is a very good idea. by djmurdoch · 2013-05-08 13:20 · Score: 2
  
  Yes, but even if you don't screw up the hashing, brute force attacks are possible. This approach discourages those, because an attacker won't know which of the broken passwords is safe to use without being immediately detected.
Re:How does this work? by zindorsky · 2013-05-08 08:29 · Score: 5, Informative

When you use one of the fake ID and passwords to try to log in. That will set off an alarm in the system that someone has stolen the database. Think about it - it's really quite clever.

--
If the geiger counter does not click, the coffee, she is not thick.
Re:How does this work? by Anonymous Coward · 2013-05-08 08:31 · Score: 2, Interesting

There are a couple of ways:
1) You attempt to log in to a service using the honeyword. This trips routines in the code that recognize the account as a honeypot account and not something real, which throws alerts. This seems to be the method being suggested in the paper, though I've only glanced at it so far.
2) A better way that I don't see mentioned: using an IDS. Set up custom rules at host and network layers to look for the occurrence of a given set of 'honeyword' strings and their encrypted variants. Chances are when an IDS throws a flag on this rule, its because your auth database is being exfiltrated over a plaintext protocol (which will often be the case with SQL injection type attacks). If you're unrolling SSL or using something like mod_security to do the scanning, you can catch even the exfiltrations that are using HTTPS.
Re:How does this work? by ZombieBraintrust · 2013-05-08 08:32 · Score: 2

An adversary who steals a file of hashed pass-words and inverts the hash function cannot tell if he has found the password or a honeyword.
Nevermind it was in the second link. Basically the attacker gets a 1 in 3 chance on each login of tripping alarm when logging in. Stronger passwords would stand out from the honeywords though if the honeywords are weak passwords. If honeywords are strong passwords then weak passwords would stand out.
A problem with this is... by xxxJonBoyxxx · 2013-05-08 08:32 · Score: 2

When you "seed your authentication databases with fake passwords", you've really just added a bunch of accounts with the same username/password across multiple systems. A smarter (less invasive) approach might be to compare actual hack attempts against existing or recent lists of known usernames; if they're close, that's a tip-off that someone knows more about your authentication store than he or she should.
1. Re:A problem with this is... by Anonymous Coward · 2013-05-08 08:41 · Score: 2, Interesting
  
  When you "seed your authentication databases with fake passwords", you've really just added a bunch of accounts with the same username/password across multiple systems.
  Not necessarily. The username/password combinations don't have to be the same, and they can be trapped higher up the chain in the code that processes authentication requests so that they can't actually be used to gain access to systems. Better yet, they can be used to redirect attackers to higher interaction honeypots where their nefarious deeds can be monitored. Imagine your SSH daemon integrated with honeywords for the root account and other common ones, that redirect attackers to a heavily sandboxed kippo session. Now you're able to get a lot more intelligence about the attacker's methods.
  A side benefit: these act to dissuade attackers in the same way as "sting operations" act to dissuade Johns and car thieves... attackers have to think twice when they run across what seem to be juicy targets. Combined with sophisticated deception techniques, you could end up feeding your competitor industrial espionage "secrets" that only served to delay and misdirect, "punishing" them for trying to steal your secrets.
2. Re:A problem with this is... by rsborg · 2013-05-08 09:21 · Score: 2
  
  To do that, you need to set a "fake" flag on the credentials, and bad guys can use that to filter out the fake creds from the store.
  Clearly the "fake cred" would never be a flag in the users table (or even in the same database/system). For example, it could be a process that scans your logfiles and alerts based on username.
  If someone has pwnd your system and can rewrite logs you have a *much* bigger problem than stolen passwords.
  
  --
  Make sure everyone's vote counts: Verified Voting
3. Re:A problem with this is... by rsborg · 2013-05-08 10:20 · Score: 2
  
  >> Clearly the "fake cred" would never be a flag in the users table (or even in the same database/system). For example, it could be a process that scans your logfiles and alerts based on username.
  That's my point. If you're already doing this, you don't need to inject fake credentials into your databases to detect unusually accurate snooping.
  We're not on the same page.
  How would you know if a login using a valid credential set is legitmate or from a stolen password? Answer: you don't. However, if you have fake users in your system that *no one* would ever login with, then you can know your system credentials have been compromised.
  And this is to detect if your password db has been stolen, not "snooping". Using this method to uncover snooping would never find your fake credentials unless you constantly test those fakes.
  
  --
  Make sure everyone's vote counts: Verified Voting
Re:Ron Rivest stole my idea! by Em+Adespoton · 2013-05-08 08:35 · Score: 2

I'm actually a bit annoyed right now: I've been working on this concept for about a month now. I guess I should be honored by the "great minds think alike" thing, but damnit, I wanted to finally get my name out there.
It's a good start and part of the technique I've been working with... great way to catch exfiltrations in progress, but we could go a bit further. Patches to critical services like SSH could be developed that would accept lists of common bruteforced passwords and automatically block and alert, or even pass the connecting client over to a honeypot.
I've been doing this for years via fail2ban; just doing blacklisting, not honeynet redirecting, but still...
One thing I used to have set up was a redirect to a secondary firewall table for hosts entering the wrong passwords; the secondary firewall table had redirects to a dummy server that was configured with a completely fake network and service topography... so if someone started attacking using an IP, the information they gleaned would be completely misleading without actually providing an active honeypot. Dummy server has since been repurposed and now I just block though; don't have the time to waste examining what people/bots are up to these days.
Re:How does this work? by Em+Adespoton · 2013-05-08 08:41 · Score: 2

If I make a copy of the password database and place it on my machine then how will an alarm reach the admins?
I'll answer the "How does this work?" part, as your comment has nothing to do with the information provided.
If you have a copy of the password db, good for you. If you crack the accounts and try to use an elevated account to access something, and that elevated account is a dummy account, alarm bells will go off everywhere. That's how this works. And everyone should be doing it.
Back in the day, I did something "similar" where I created a bunch of "default" accounts using common usernames and passwords, and gave those accounts no access. Syslog was set to send an alert and blacklist the incoming IP for 3 hours. In the 3 years I had this running, I only caught a handful of attackers, but hey... that shows that they would have got through had those accounts actually been in use.
Now I just use fail2ban.
This is an ok idea, definitely not a great one by TiggertheMad · 2013-05-08 09:16 · Score: 5, Insightful

Ok, for those who didn't RTFA, or don't know anything about security, you have a list of users and encrypted passwords in a DB. They log on and their password is checked against the DB. The problem is how do you know if someone has stolen your DB so they can crack it offline? (Offline brute force attacks are much more effective since they are thousands of times faster) So the author proposes that you give each user several possible passwords in the DB, only one of which is the correct one. If other passwords are used to logon, a danger alarm goes off, and you know someone has stolen your DB.

There are several problems with this idea. To make it work, you have to have a second DB listing all the passwords, and some sort of marker indicating which ones are real and which are fakes. You can't put this in the main DB, because then the hackers would have stolen this info too, and can tell which passwords are real. So you have a second, more secure system for this. Aside from the problems in maintaining a separate parallel system, one might ask the question, "why isn't your primary DB as secure as the secondary DB?". If attackers can breach your main defenses how do you know they cannot breach your backup network? What happens if your secondary system goes down?

More insidious, there is the recursive security problem. The point of doing this is for the assurance that your password DB is secure. How will you know if an attacker has gained access to your secondary password DB? Well, that would require a third password DB.......

--

HA! I just wasted some of your bandwidth with a frivolous sig!
1. Re:This is an ok idea, definitely not a great one by gamanimatron · 2013-05-08 10:08 · Score: 4, Informative
  
  Some responses (informed by the actual paper):
  
  The second DB doesn't have any of the the password hashes, it just knows which one is correct. It's a single table of (userid, hashid) where hashid is just some small integer.
  
  The idea seems to be that the second system can be a smaller, less complicated single-function server, easier to harden and could be running a different OS/Webserver/DB stack. You could (by sacrificing real-time validation) even have the second system entirely firewalled off and unreachable to an attacker, just polling the login servers to validate the sessions at some small interval.
  
  If the second system goes down, one approach would be to just accept any of the passwords until it comes back up. Then check the logs of what happened while it was offline and act accordingly (invalidate sessions, raise alarms, whatever).
  
  Overall, I like the idea tremendously. It seems like it's not quite all there yet, but we're probably going to start implementing some variant of it immediately.
  
  --
  cogito ergo dubito
Honeytoken by ZouPrime · 2013-05-08 09:16 · Score: 4, Interesting

Isn't this just a special case of a honeytoken?
http://en.wikipedia.org/wiki/Honeytoken
Re:How does this work? by rsborg · 2013-05-08 09:17 · Score: 2

When you use one of the fake ID and passwords to try to log in. That will set off an alarm in the system that someone has stolen the database. Think about it - it's really quite clever.
Isn't this kind of like ISP-based spam detection - when you create a list of honeypot email addresses that no one would ever email on purpose - anyone who sends to those email addresses are likely a spammer, and should be added to the spam sender blacklist.

--
Make sure everyone's vote counts: Verified Voting
Preemptive comment by eddy · 2013-05-08 09:27 · Score: 2

Doesn't mean you SHOULDN'T use a good KDF like scrypt of course, but remember that these "honey accounts" can give you more information. If your data is stolen you want to know about it as soon as possible for all sorts of reasons. If someone breaks in and steals your super-safe account database, you still have a problem you want to detect and fix; the break-in itself. This can be one more layer in that protection.

--
Belief is the currency of delusion.
No it's a miners canary by dutchwhizzman · 2013-05-08 18:49 · Score: 3, Informative

You do this so you can tell that somehow your design and security measures have failed. If these accounts get used, whether it is with the proper password or just the username (or other user data in your databases) you can be sure that you have a data leak somewhere. By smart placement of the data and adding new "honey data" regularly, you should be able to predict where and when you had a breach. Don't just use user/password combinations for this concept, but also put other "honey data" that might get stolen in, so someone that steals your address database or entire customer data (internal theft by employees) will get caught. Depending on how your system is built up and used and the type of data, you can even use it to pinpoint the employee or exact server that has been compromised.
Techniques like this have been in use for many many years. Most maps have on purpose flaws in them so illegal copies are identifiable. Most address databases for sale commercially have fake addresses in them as well. I've used this sort of techniques before on large customer databases. I'm surprised that this is getting so much attention, I thought it was "industry best practice" for a while now?

--
I was promised a flying car. Where is my flying car?