Security experts have proposed a simple way for websites to better secure highly sensitive databases used to store user passwords: the creation of false "honeyword" passcodes that when entered would trigger alarms that account hijacking attacks are underway.
The suggestion builds on the already established practice of creating dummy accounts known as honeypot accounts. It comes as dozens of high-profile sites watched user data become jeopardized—including LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and eHarmony to name just a few from the past year. Because these dummy accounts don't belong to legitimate users of the service and are normally never accessed, they can be used to send a warning to site administrators when attackers are able to log in to them. The new, complementary honeyword measure—proposed in a research paper titled "Honeywords: Making Password-Cracking Detectable—was devised by RSA Labs researcher Ari Juels and MIT cryptography professor Ronald Rivest, the latter who is the "R" in the RSA cryptography scheme.
The new measure calls for a file storing cryptographically hashed passwords to contain multiple passwords for each account, only one of which is valid. Attackers who manage to crack the hashes would have no way of knowing if the corresponding plain-text password is real for a particular user. Logging into an account using one of the decoy passwords would immediately cause a "honeychecker"—located on a separate, hardened computer system—to issue an alert to administrators that the database has been compromised.