Internet security experts are looking into a new approach to protecting sensitive data. Instead of merely relying on password protection, websites can use “honeyword” passcodes, or dummy passwords that would trigger an alarm if someone is hacking the website’s database or someone’s account.
This proposal follows the hacking of high-profile portals last year wherein user data was compromised. Some of the sites that were hacked include eHarmony, LinkedIn, Twitter, Evernote, LivingSocial and dating site Zoosk.
As these decoy passwords are usually never accessed and are not really owned by actual users, they may be used to transmit an alert to website administrators once they have been hacked.
The proposed measure also complements the use of dummy accounts and was suggested in a research paper entitled “Honeywords: Making Password-Cracking Detectable”. The study was jointly authored by MIT cryptography professor Ronald Rivest and RSA Labs researcher Ari Juels.
This security measure requires multiple passwords for each individual account, but only one is the actual password. If someone uses one of the dummy passwords, a “honeychecker” system housed on a separate computer would issue a warning to the website’s administrators.
“This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by cracking. Thus, honeywords can provide a very useful layer of defence,” said the researchers.
Administrators could also tweak how the system will respond to an ongoing hack, including suspending a particular account or tracing the location of the hacker.