Use password files to detect attacks

Researchers believe that they can better detect attacks by adding a large amount of false information or "Honey code" to the password database. When attackers intrude into the enterprise network, their first target is usually a password file. By stealing password files and using brute force cracking technology to crack low-intensity passwords, attackers can obtain a lot of legitimate login information to more easily attack the enterprise network.

 

 

Ron Rivest ("R" in RSA), an IT cryptology at the Massachusetts Institute of Technology, and Ari Juels, a computer scientist at the RSA laboratory, said in an article published in early May that, by adding a false hash or "Honey code" to the password file, you can help detect the above attacks. Because attackers do not know which hash values are true, they may be detected when attempting to use a password file containing a false hash value.

Security researchers have always stressed that strong passwords should be used. Last year, LinkedIn lost 6.5 million user passwords. Yahoo's 0.4 million user passwords were lost from its server, while LivingSocial reset the 70 million password that may have been accessed by attackers. Although enterprises regularly encrypt passwords to prevent them from being easily obtained by attackers, many users still use low-intensity passwords, which may be cracked by brute force guesses.

Some administrators use simple passwords to set false accounts to detect whether attackers have successfully cracked the passwords of stolen files. However, researchers warned that attackers may find this method and they may know how to determine which accounts are legal and which are false.

The researchers suggested that each password should generate 20 honey codes accordingly, so that there is more than 95% chance to detect whether the attacker has cracked the password in the password file. This test is performed by the Secure Backup Server "honeychecker". Attackers can steal password files, which means they may access any program on the computer.

"In computer systems, there is no place to safely store additional confidential information," Rivest and Juels wrote. "honeychecker is a separate hardened computer system, the preceding secret information can be stored."

Per Thorsheim, a security consultant, said that although the suggestion had merits, there were also some problems. Adding "Honey codes" and sending logon attempts to the second server will require rewriting of existing software. In addition, the choice of "Honey code" should also reflect the password setting habits of individual users, so that they may not be recognized by attackers. However, using a password similar to the user password may also lead to more false positives.

"The more the honey Code reflects the password setting habits of each user, the higher the chance that an attacker will be tempted into a trap," Thorsheim said. "In essence, you may be overwhelmed by false positive information, you will need to determine whether the alarm information is caused by a user with an incorrect password or an attacker."