The document discusses honeywords, which are fake passwords that are inserted into a user database along with real user passwords. This allows systems to detect if a password database is stolen by monitoring for logins using the fake honeyword passwords. The document outlines how honeywords can be generated to look realistic, how authentication would work to prevent honeyword logins, and the benefits of using honeywords such as enabling detection of password theft. However, it notes that honeywords do not prevent a database compromise or replace the need for strong password policies and storage mechanisms.

1. Honeywords:
Detectable Password
Theft
Gavin Holt
Abertay University

2. whoami
Gavin Holt (@GavinHolt)
Fourth Year Honours Student at Abertay University
One of the organisers of Securi-Tay 3
Vice President of Abertay Ethical Hacking Society (@AbertayHackers)

3. What are we covering today?
Why is password theft so dangerous?
How are passwords currently being stored? (The good, the bad and the plain
stupid)
What are Honeywords?
How Honeywords can be implemented
The benefits of Honeywords
What Honeywords won’t save you from
Summary
Questions

4. Why is password theft so
dangerous?

5. Obvious Answer:
Because then someone has your
password

6. Less Obvious Answer:
Because then someone has your
password…for everything

7. 60%+ of users use the same
password across multiple sites
(PayPal Report)

8. 300% Increase in a single quarter
(Experian Report)

9. LinkedIn – 6.5 Million Passwords
Zappos.com – 12 Million Passwords
eHarmony – 1.5 Million Passwords
Adobe – 38 Million Passwords
Evernote – 50 Million Passwords

10. But when you analyse a dump, you
have to wonder why you bother…

13. A lot of usernames and passwords
out there.

14. But Gavin, People don’t store
passwords in the plain anymore,
right?

15. http://plaintextoffenders.com/

16. Oh okay, but the big guys are doing
it right?

17. LinkedIn’s 6.5 Million Passwords
were unsalted.

18. Even if they salt the passwords, they
aren’t always per user salts.

19. Salting doesn’t stop a targeted
attack

20. Password Cracking is getting faster!

21. Making the Hashing more complex
and resource intensive is only part of
the solution.

22. How do I even know if my password
has been stolen?

23. You might not!

24. Some sneaky SysAdmins might put
some fake accounts in.

25. So if the User “Rory” logs in, they
can assume they have been
compromised.

26. Pretty useful idea – Honeypot
accounts.

27. Hackers are sneaky

28. Can potentially spot these fake
accounts by looking at their activity
and permissions.

29. So fake user accounts aren’t fool
proof.

30. But we like the idea of making it a
high-risk guessing game for the
attacker.

31. Why not have fake Passwords?

32. Introducing: Honeywords

33. First discussed by Jules and Rivest
of MIT in May 2013.

34. If for every user account, we have
multiple passwords, with only one
legit password, can we detect
password theft by watching for our
known entries?

35. An unsalted MD5 example (Don’t throw
things)
Traditional DBUID Username Password (Hashed, For Security obv)
1 Gavin 565E15D84CC59763D13D58B5F66C967F
2 Rory AD7FADB59974D0C2E66E628C0485F9C9
3 Tiago AA177EC5DCBF88CA5EDF17236C1981E8

36. A plain text example (Don’t throw things)
Traditional DB
Attacker Gets
a hold of the
database
Fires up John
or Similar Tool
Gets Plain Text
Passwords
Back

37. Lets implement Honeywords…

38. How do we make Honeywords?

39. How do we make Honeywords?
We need believable words
We need some low hanging fruit
We need some tough passwords
We need to ensure we don’t use the users PW
We need to be able to identify HoneyWords internally!

40. How do we make Honeywords?
Start with a dictionary
Select a handful of words of varying length
Depending on how hard we want to make the password to crack we can:
Mangle for Upper and Lower Case
Prepend and Append numbers
Substitute Symbols
Concatenate Words
Make sure it doesn’t make our users PW!

41. How do we make Honeywords?
We need to make a correct Checksum for our users password
We also need to make some fake checksums for the honeywords we have
generated

42. An unsalted MD5 example
Using Honeywords
UID Username
1 Gavin
2 Rory
3 Tiago
UI
D
Password Hash Checksum
1 565E15D84CC59763D13D58B5F66C
967F
TU32R781V346R7ETV81ERTGE7RT8EV4
1 AD7FADB59974D0C2E66E628C0485
F9C9
SVEVREVR6571654SF7CEWF7E1FC51W
1 AA177EC5DCBF88CA5EDF17236C1
981E8
BCN7GHER17G8J7678A78W81CDFCTHY871
1 DC5F61F959F188478982A9DBB153 EWFFFFSEESYUUTRYER87F1S67F1S5E7F1SCE

43. An unsalted MD5 example
Using Honeywords
Attacker Gets a
hold of the
database
Fires up John or
Similar Tool
Gets Plain Text
Passwords Back
Has a 20%
chance of
picking the
correct password

44. 1/5 Chance of getting it right

45. Can greatly decrease this chance by
adding more Honeywords!

46. How would I even authenticate
against that?

47. Authentication Process
Web Server
• Takes Password and
Hashes It
• Passes to DB Server
DB Server
• Retrieves
Checksum
where UID and
Hash match
and passes to
Auth Server
Auth Server
• Performs
additional
secret
cryptographic
function on
hash and
compares to
Passed Check
Sum
• Returns True or
False to Web
Server
Web Server
• Either:
• Logs user in
because they
have a correct
password
• Doesn’t log
user in and
flags that a
known
“Honeyword”
was used
• Doesn’t log in
due to
incorrect
password

48. In order to gain 100% certainty that
they have the correct password,
they attack would need to
compromise all 3 boxes.

49. So we now know when a password
we have purposely added to the DB
is used.

50. We can detect password theft!

51. What else can we do with it?

52. Time based detection?

53. Change the fake passwords
periodically to pinpoint when they
were stolen?

54. Alerting other services that
passwords have been stolen

55. Central API for Services to use

56. Pass UIDs of known compromised
accounts to a central service to alert
users across platforms they may be
vulnerable?

57. The Benefits of Honeywords

58. The benefits of Honeywords
Can be used to detect password theft
Can be used to prevent the usage of stolen credentials
Can provide warnings to other services that users may reuse passwords on
Can be used to deter attackers from trying to compromise accounts

59. What Honeywords won’t do

60. What Honeywords won’t do
Honeywords won’t stop your service being compromised
If they have your Password file, you have problems to begin with
Honeywords won’t stop the hashes from being cracked
Only per hash salting and intensive hashing functions will slow that down
Honeywords won’t stop attackers from gaining a users password by another
method
Social Engineering, Key Logger, or simply guessing a rubbish password

61. Honeywords are not a replacement
to a strong password policy and
user awareness

62. In Summary
Honeywords allow for detectable password theft by seeding a database with
known “wrong” passwords.
Watching for these passwords allows Systems to detect when they have had
their password DB stolen.
Honeywords should be of varying difficulty in order to disguise themselves
Honeywords are not a replacement for:
A strong password policy
A strong password storage mechanism
End Point Security

63. Any Questions?
Tweet me @GavinHolt later if you
think of any