"Honeywords" plan to snare theives

-

Cryptographic researchers Ari Juels and Ronald Rivest (the "R" in RSA) have come up with an interesting idea aimed at helping to detect attacks on web application databases. It is based on storing fake passwords as bait and sounding the alarm when an attempt is subsequently made to use one of these fake passwords.

The idea involves storing what they have dubbed "honeywords" for each user in the password database alongside their actual password. An attacker who gained access to the database would be unable to distinguish the honeywords, which would also be stored in the form of salted hashes, from the real password.

If attackers were then able to crack the stolen hashes, they might well use them to try to log into the associated web application. If such an attempt were made using one of the honeywords, the web application would know that the access was unauthorised – since the account's legitimate owner has no access to the honeywords, any honeyword used must have been misappropriated. In this case, the application can either block the account or trigger a silent alarm and redirect the attacker to a honeypot system, where they can safely get up to whatever mischief they wish.

Of course the idea only works as long as the server where the hashes are stored doesn't also store information on which of the hashes is the actual user password. The researchers therefore propose a separate, secure system that would be told which of the potential passwords was used during login attempts via an encrypted channel. This "honeychecker" wouldn't store any information on either passwords or honeywords, but would merely record for each user the position within the database at which the legitimate password is stored.

Source: http://www.h-online.com/security/news/item/Honeywords-plan-to-snare-password-thieves-1858488.html

Comments

Post a Comment

Popular posts from this blog

Navigating the Jungle of Web Traffic: A Technical Team Lead's Guide to "I'm a Celebrity, Get Me Out of Here"

-
"I'm a Celebrity, Get Me Out of Here" has become a cultural phenomenon, captivating audiences worldwide with its thrilling challenges and celebrity antics. As a Technical Team Lead, preparing for the surge in traffic during the show's broadcast is akin to navigating a dense jungle of user interactions. In this article, we'll explore the strategies and considerations that technical teams can employ to ensure a seamless online experience while aligning with marketing promotions. 1. Assessing the Infrastructure: Before the chaos ensues, evaluate your web infrastructure. Ensure that servers are optimized, databases are finely tuned, and CDN (Content Delivery Network) configurations are robust. Conduct load testing to simulate peak traffic and identify potential bottlenecks. This step is crucial for preventing server crashes and maintaining site performance under increased load. 2. Scalability and Elasticity: Consider implementing auto-
Read more

TCP Handshake over IPv6

-
The internet we know today heavily relies on TCP/IP to send our information around the world at lightspeed.  With more devices than ever connected to the internet (insert link to back this up, it sounded cool), using IPv4 we're soon going to run out of addresses.  And in fact if it weren't for technologies such as NAT we'd be in a stickier situation than we already are.   In preperation of running out of IP addresses, IPv6 was mustered up around 1998 by the IETF, a 128-bit addressing convention vs the old IPv4 32-bit addressing. So that means IPv6 has been around quite a while now.  Almost 20 years, yet still IPv4 is all the rage.  Perhaps us techies have trouble letting go of what we know.   I mean why set up an AAAA record, when you only need to set up an A record right?  Why configure DNS to use   2001:4860:4860:0000:0000:0000:0000:8888 or 2001:4860:4860::8888 when you can just use 8.8.8.8 right?  Well yeah, let's save all that for another article, once I've h
Read more

The Vital Importance of Secure Wi-Fi Networks

-
In today's digitally interconnected world, Wi-Fi has become an indispensable part of our daily lives. From homes to businesses, coffee shops to airports, we rely heavily on wireless networks to stay connected. However, amidst the convenience and ease that Wi-Fi brings, security should never be taken lightly. In this blog post, we'll delve into the critical importance of using secure Wi-Fi networks and the potential risks associated with neglecting this aspect of our online lives. The Threat Landscape First and foremost, let's address the ever-looming threats that exist in the digital realm. Unsecured Wi-Fi networks are a goldmine for cybercriminals, as they provide an easy entry point to intercept sensitive data. When you connect to an open, unencrypted Wi-Fi network, your data becomes vulnerable to eavesdropping and interception. Malicious actors can capture login credentials, personal information, and even financial details, putting you at risk of identity theft, financi
Read more