Determined hackers who fail to crack a password will simply try again until they succeed. But an ongoing security project aims to tackle that by not letting the hacker know they’ve failed.
The idea is simple: instead of simply informing the unsuccessful hacker that they’ve been denied access, the system will give the hacker what appears to be a successfully decrypted password or other security data but is actually bogus and useless text.
The project is titled Honey Encryption and is the work of RSA Security’s Ari Juels and the University of Wisconsin’s Thomas Ristenpart.
Their theory is that the technique will at worst delay and at best deter hackers who try to decrypt data by causing them to spend additional time checking the supposedly-cracked passwords to see if they work. While it’s certainly possible that checking process could be automated in the same way as the password cracking, it would still make the task more time-consuming.
One limitation to the technique is that you need to know what a genuine password or encryption key would look like for the relevant site or service (and the encryption method it uses) otherwise hackers will be able to easily tell they’ve been given bogus data.
As part of the research, Juels and Ristenpart are trying out the strategy on services such as LastPass where a single master password will grant access to decrypted versions of passwords for multiple sites. That gives them even more of a challenge as the technique needs to create a list of bogus passwords that must each be credible for the relevant site.
Juels noted to ThreatPost that perfection isn’t necessarily the threshold for the technique to work in the real world: “If just half of the decryption attempts yield something plausible, you still achieve the desired bafflement of the attacker.”
The name and concept of Honey Encryption both stem from research Juels published last year with MIT’s Ronald Rivest on the idea of “Honeywords.” That’s the idea of storing real passwords alongside a set of bogus ones, then setting up the system such that if anyone discovers and decrypts the list but attempts to log-in using a “honeyword”, it sets off an alarm.