The Password That Never Was

Abstract: Breaches of databases involving millions of passwords are becoming a commonplace threat to consumer security. Compromised passwords are also a feature of sophisticated targeted attacks, as the New York Times, for instance, reported of its own network intrusions early this year. The most common defense is password hashing. Hashing is the transformation of stored passwords using one-way functions that make verification of incoming passwords easy, but extraction of stored ones hard. "Hard," though, often isn't hard enough: Password cracking tools (such as "John the Ripper") recover many hashed passwords quite effectively.

I'll describe a new, complementary approach called honeywords (an amalgam of "honeypots" and "passwords"). Honeywords are decoys designed to be indistinguishable from legitimate passwords. When seeded in a password database, honeywords pose a challenge even to an adversary that compromises the database and cracks its hashed passwords. The adversary must still guess which passwords are legitimate, and is very likely to pick a honeyword instead. The adversary's submission of a honeyword is detectable in a backend system, which can raise an alarm to signal a breach. I'll also briefly discuss a related idea, called honey encryption, which creates ciphertexts that decrypt under incorrect keys to seemingly valid messages.

Honeywords and honey encryption represent some of the first steps toward the principled use of decoys, a time-honored and increasingly important defense in a world of frequent, sophisticated, and damaging security breaches.

Honeywords are honey encryption are joint work respectively with Ron Rivest (MIT) and Tom Ristenpart (U. Wisc).
Dr. Ari Juels is a roving chief scientist specializing in computer security.

He was Chief Scientist of RSA (The Security Division of EMC), Director of RSA Laboratories, and a Distinguished Engineer at EMC, where he worked until September 2013. He joined RSA in 1996 after receiving his Ph.D. in computer science from U.C. Berkeley.

His recent areas of interest include "big data" security analytics, cybersecurity, cloud security, user authentication, privacy, medical-device security, biometric security, and RFID / NFC security. As an industry scientist, Dr. Juels has helped incubate innovative new product features and products and advised on the science behind security-industry strategy. He is also a frequent public speaker, and has published highly cited scientific papers on many topics in computer security.

In 2004, MIT's Technology Review Magazine named Dr. Juels one of the world's top 100 technology innovators under the age of 35. Computerworld honored him in its "40 Under 40"³ list of young industry leaders in 2007. He has received other distinctions, but sadly no recent ones acknowledging his youth