Gavin Holt (@GavinHolt)
Fourth Year Honours Student at Abertay University
One of the organisers of Securi-Tay 3
Vice President of Abertay Ethical Hacking Society (@AbertayHackers)
3. What are we covering today?
Why is password theft so dangerous?
How are passwords currently being stored? (The good, the bad and the plain
What are Honeywords?
How Honeywords can be implemented
The benefits of Honeywords
What Honeywords won’t save you from
4. Why is password theft so
5. Obvious Answer:
Because then someone has your
6. Less Obvious Answer:
Because then someone has your
7. 60%+ of users use the same
password across multiple sites
8. 300% Increase in a single quarter
9. LinkedIn – 6.5 Million Passwords
Zappos.com – 12 Million Passwords
eHarmony – 1.5 Million Passwords
Adobe – 38 Million Passwords
Evernote – 50 Million Passwords
10. But when you analyse a dump, you
have to wonder why you bother…
11. A lot of usernames and passwords
12. But Gavin, People don’t store
passwords in the plain anymore,
14. Oh okay, but the big guys are doing
15. LinkedIn’s 6.5 Million Passwords
16. Even if they salt the passwords, they
aren’t always per user salts.
17. Salting doesn’t stop a targeted
18. Password Cracking is getting faster!
19. Making the Hashing more complex
and resource intensive is only part of
20. How do I even know if my password
has been stolen?
21. You might not!
22. Some sneaky SysAdmins might put
some fake accounts in.
23. So if the User “Rory” logs in, they
can assume they have been
24. Pretty useful idea – Honeypot
25. Hackers are sneaky
26. Can potentially spot these fake
accounts by looking at their activity
27. So fake user accounts aren’t fool
28. But we like the idea of making it a
high-risk guessing game for the
29. Why not have fake Passwords?
30. Introducing: Honeywords
31. First discussed by Jules and Rivest
of MIT in May 2013.
32. If for every user account, we have
multiple passwords, with only one
legit password, can we detect
password theft by watching for our
33. An unsalted MD5 example (Don’t throw
Traditional DBUID Username Password (Hashed, For Security obv)
1 Gavin 565E15D84CC59763D13D58B5F66C967F
2 Rory AD7FADB59974D0C2E66E628C0485F9C9
3 Tiago AA177EC5DCBF88CA5EDF17236C1981E8
34. A plain text example (Don’t throw things)
a hold of the
Fires up John
or Similar Tool
Gets Plain Text
35. Lets implement Honeywords…
36. How do we make Honeywords?
37. How do we make Honeywords?
We need believable words
We need some low hanging fruit
We need some tough passwords
We need to ensure we don’t use the users PW
We need to be able to identify HoneyWords internally!
38. How do we make Honeywords?
Start with a dictionary
Select a handful of words of varying length
Depending on how hard we want to make the password to crack we can:
Mangle for Upper and Lower Case
Prepend and Append numbers
Make sure it doesn’t make our users PW!
39. How do we make Honeywords?
We need to make a correct Checksum for our users password
We also need to make some fake checksums for the honeywords we have
40. An unsalted MD5 example
Password Hash Checksum
1 DC5F61F959F188478982A9DBB153 EWFFFFSEESYUUTRYER87F1S67F1S5E7F1SCE
41. An unsalted MD5 example
Attacker Gets a
hold of the
Fires up John or
Gets Plain Text
Has a 20%
42. 1/5 Chance of getting it right
43. Can greatly decrease this chance by
adding more Honeywords!
44. How would I even authenticate
45. Authentication Process
• Takes Password and
• Passes to DB Server
where UID and
and passes to
• Returns True or
False to Web
• Logs user in
have a correct
• Doesn’t log
user in and
flags that a
• Doesn’t log in
46. In order to gain 100% certainty that
they have the correct password,
they attack would need to
compromise all 3 boxes.
47. So we now know when a password
we have purposely added to the DB
48. We can detect password theft!
49. What else can we do with it?
50. Time based detection?
51. Change the fake passwords
periodically to pinpoint when they
52. Alerting other services that
passwords have been stolen
53. Central API for Services to use
54. Pass UIDs of known compromised
accounts to a central service to alert
users across platforms they may be
55. The Benefits of Honeywords
56. The benefits of Honeywords
Can be used to detect password theft
Can be used to prevent the usage of stolen credentials
Can provide warnings to other services that users may reuse passwords on
Can be used to deter attackers from trying to compromise accounts
57. What Honeywords won’t do
58. What Honeywords won’t do
Honeywords won’t stop your service being compromised
If they have your Password file, you have problems to begin with
Honeywords won’t stop the hashes from being cracked
Only per hash salting and intensive hashing functions will slow that down
Honeywords won’t stop attackers from gaining a users password by another
Social Engineering, Key Logger, or simply guessing a rubbish password
59. Honeywords are not a replacement
to a strong password policy and
60. In Summary
Honeywords allow for detectable password theft by seeding a database with
known “wrong” passwords.
Watching for these passwords allows Systems to detect when they have had
their password DB stolen.
Honeywords should be of varying difficulty in order to disguise themselves
Honeywords are not a replacement for:
A strong password policy
A strong password storage mechanism
End Point Security
61. Any Questions?
Tweet me @GavinHolt later if you
think of any