How to hoax a hacker: The 'honeypot passwords' that could keep your online account safe



Researchers say fake passwords are key to new system

Claim 'decoys and deception are underexploited' in the fight against cybercrime



Researchers have unveiled a radical new way to secure passwords - and say fooling hackers is key.

The new honey encryption system relies on tricking cybercriminals.

It gives hackers fake data in response to incorrect password guesses, fooling the hacker repeatedly.

The new technique is designed to fool hackers by bombarding them with false information.

HOW HONEY ENCRYPTION WORKS

The new system gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key.

If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data, the researchers say.

Researchers say it is the first of a new breed of encyrption tools designed to trick hackers.

'Decoys and deception are really underexploited tools in fundamental computer security,' Ari Juels, an independent researcher who was previously chief scientist at computer security company RSA, told MIT Technology Review.



Together with Thomas Ristenpart of the University of Wisconsin, he has developed a new encryption system with a trick up its sleeve.

It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key.



If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data, the researchers say.



'Honeywords are a defense against stolen password files,' they wrote.

'Specifically, they are bogus passwords placed in the password file of an authentication server to deceive attackers.

'Honeywords resemble ordinary, user-selected passwords. It’s hard therefore for an attacker that steals a honeyword-laced password file to distinguish between honeywords and true user passwords.



The new approach could be valuable given how frequently large encrypted password files appear to fall into the hands of criminals.



Almost 150 million usernames and passwords were taken from Adobe servers in October 2013, for example, and Target was among those worst hit by a more recent breach.

Currently hackers use software to guess thousands of passwords.



Current systems just produce junk code when an attempt is in correct.

The new system however, simply generates a piece of fake data resembling the true data.

Honey Encryption makes it harder for an attacker to know if they have guessed a password or encryption key correctly or not.

If an attacker used software to make 10,000 attempts to decrypt a credit card number, for example, they would get back 10,000 different fake credit card numbers, the team says.



'Each decryption is going to look plausible,' said Juels.

