Honeywords: making password-cracking detectable
Author(s)Juels, Ari; Rivest, Ronald L.
MetadataShow full item record
We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
DepartmentMassachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13)
Association for Computing Machinery (ACM)
Ari Juels and Ronald L. Rivest. 2013. Honeywords: making password-cracking detectable. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 145-160.