Honeywords are a defense against stolen password files. Specifically, they are bogus passwords placed in the password file of an authentication server to deceive attackers. Honeywords resemble ordinary, user-selected passwords. It’s hard therefore for an attacker that steals a honeyword-laced password file to distinguish between honeywords and true user passwords.
“Honey” is an old term for decoy resources in computing environments.
To be more specific about how honeywords protect us, without we even know about them, let's see the table below and explain it a lit bit more.
Before we begin, make sure that is an implementation for only a random user.
If we have more users, we have to do the exact same for each one.
As you can view, in the left column, we have the fake passwords, that our honeywords generator assumes that created for us, or in other words, these are the honeywords we are going to use.
In the middle column, in a random row, we can view the real password of the user and finally, in the right column, we can view the final dataset of passwords for the user.
General Example how they work:
| Fake Passwords | Real Password | Honeywords |
|---|---|---|
| kebrton1 | kebrton1 | |
| 02123dia | forlinux | |
| a71ger | avanture32 | |
| forlinux | Arkantos-13 | sbgo864959 |
| 1erapc | 02123dia | |
| avanture32 | Arkantos-13 | |
| sbgo864959 | aiwkme523 | |
| aiwkme523 | 1erapc | |
| a71ger |
Honeywords made by one of my generator from a given passoword:
| Real Password | Honeywords |
|---|---|
| ARKAnToS-13 | |
| ARKAntoS-13 | |
| aRkanTos-13 | |
| ARkANToS-13 | |
| Arkantos-13 | arKAnTOs-13 |
| ArKanTOS-13 | |
| Arkantos-13 | |
| arKantOS-13 | |
| arKaNtOs-13 | |
| arKaNtOS-13 |
Before we move on, we need to understand that honeywords aren’t visible to users or anyone else and that they are created by a generator we have chosen before. The generator creates the honeywords, then the honeychecker shuffle them all together and then save all the possible passwords for each user. That's why they are so powerful and crucial in cyber security. Some generators create honeywords based on the real passwords of the users or they can create random passwords, however, something like this doesn't protect us quite enough.
Let's suppose that an attacker has stolen a password file that contains the passwords of users in groups, just like the third column in the table above we just explain. Given the presence of honeywords, though, such an attacker is extremely unlikely to guess a user’s true password for the first time and more likely instead to submit a honeyword while he tries to have access in a random account. As we all may know from maths, the possibilities of an attacker to guess the right password out of the total passwords (K) are 1/K. To put it simply, the biggest number K the fewer possibilities for the attacker to gain access. For example, if we have created twenty (20) honeywords for a user, plus his real one (1) password, then the total amount of possible passwords the attacker has to guess from are twenty-one (21), K = 21. In other words, the possibilities are 1/21 or 0.047 or 4.7 %.
Finally. If a honeyword-enabled system detects an attempt to log in using a honeyword then raises an alarm indicating that the password file has been compromised because no one would know to type the honeywords.
If you are interested in honeywords and how they were created click on the links below: