Honeywords Project

The ``Honeywords Project'' is based on the paper
``Honeywords: Making Password-Cracking Detectable,''
by Ari Juels and Ronald L. Rivest (version 2.0, 5/2/13).

Summary: We suggest a simple method for improving the security of hashed passwords: the maintenance of additional honeywords (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the honeychecker) can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.

The paper:

• Latest Version of Honeywords Paper (pdf)

• Frequently Asked Questions (FAQ) about Honeywords (pdf)
• gen.py -- simple honeyword generator

• Ari Juels
  Chief Scientist, RSA
  ajuels@rsa.com
  
  
• Ronald L. Rivest
  Professor, EECS, MIT
  rivest@mit.edu

• eWeek. ``Polluting Password Files Can Make Attacks Detectable: Researchers''. by Robert Lemos. (5/17/13)
• San Francisco Chronicle. ```Honeywords' could trap hackers''. by Caleb Garling. (5/10/13)
• Wired. ``For Stronger Password Security Try a Spoonful of Honeywords''. by Ari Juels and Ronald L. Rivest. (5/8/13)
• Slashdot. ``Honeywords--Honeypot Passwords''. (5/8/13)
• ZDNet. ``Could `honeywords' help stop high-profile password breaches?''. by Ben Woods. (5/8/13)
• GCN. `Honeywords' Can Dupe Password Thieves. by Kevin McCaney. (5/8/13)
• NBCNews. Fake `honeyword' passwords could be planted to trip up hackers. by Devin Coldewey. (5/7/13)
• PCWorld. ``Use of `honeywords' can expose password crackers''. by John P. Mello, Jr. (5/7/2013)
• InformationWeek Security. Sweet Password Security: Honeywords. by Mathew J. Schwartz. (5/7/13)
• Ars Technica. ``Amid a barrage of password breaches, `honeywords' to the rescue''. by Dan Goodin. (5/6/13)
• Schneier on Security. Honeywords. by Bruce Schneier. (5/6/13)