NEWS - May 07, 2013
by Carol~ - 5/7/13 10:47 AM
Amid a barrage of password breaches, "honeywords" to the rescue
"Decoy passwords would trigger alarms that account credentials are compromised."
Security experts have proposed a simple way for websites to better secure highly sensitive databases used to store user passwords: the creation of false "honeyword" passcodes that when entered would trigger alarms that account hijacking attacks are underway.
The suggestion builds on the already established practice of creating dummy accounts known as honeypot accounts. It comes as dozens of high-profile sites watched user data become jeopardized—including LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and eHarmony to name just a few from the past year. Because these dummy accounts don't belong to legitimate users of the service and are normally never accessed, they can be used to send a warning to site administrators when attackers are able to log in to them. The new, complementary honeyword measure—proposed in a research paper (pdf) titled "Honeywords: Making Password-Cracking Detectable—was devised by RSA Labs researcher Ari Juels and MIT cryptography professor Ronald Rivest, the latter who is the "R" in the RSA cryptography scheme.
Continued : http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-honeywords-to-the-rescue/
"Honeywords" plan to snare password thieves
Sweet Password Security Strategy: Honeywords