The Password That Never Was
Ari Juels


Breaches of databases with millions of passwords are becoming a commonplace threat to consumer security. Compromised passwords are also a feature of sophisticated targeted attacks, as the New York Times, for instance, reported of its own intrusions early this year. The most common defense is hashing, a cryptographic transformation of stored passwords that makes verification of incoming passwords easy, but extraction of stored ones hard. "Hard," though, often isn't hard enough: Password cracking tools (such as "John the Ripper") often easily defeat hashing.

I'll describe a new defense called honeywords. Honeywords are decoys designed to be indistinguishable from legitimate passwords. When seeded in a password database, honeywords offer protection against an adversary that compromises the database and cracks its hashed passwords. The adversary must still guess which passwords are legitimate, and is very likely to pick a honeyword instead, creating a detectible event signaling a breach. I'll also discuss a related idea, called honey encryption, which creates ciphertexts that decrypt under incorrect keys to seemingly valid messages.

Broadly speaking, Honeywords and honey encryption represent some of the first steps toward the principled use of decoys, a time-honored and increasingly important defense in a world of frequent and sophisticated security breaches.

Honeywords are honey encryption are joint work respectively with Ron Rivest (MIT) and Tom Ristenpart (U. Wisc).