Honeywords: making password-cracking detectable

Juels, Ari; Rivest, Ronald L.

Author(s)

Juels, Ari; Rivest, Ronald L.

DownloadRivest_Honeywords.pdf (369.5Kb)

OPEN_ACCESS_POLICY

Terms of use

Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/

Metadata

Show full item record

Abstract

We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

Date issued

2013-11

URI

http://hdl.handle.net/1721.1/90627

Department

Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Journal

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13)

Publisher

Association for Computing Machinery (ACM)

Citation

Ari Juels and Ronald L. Rivest. 2013. Honeywords: making password-cracking detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 145-160.

Version: Original manuscript

ISBN

9781450324779

Collections

MIT Open Access Articles

DSpace@MIT