Security experts have proposed a simple way for websites to better secure highly sensitive databases used to store user passwords: the creation of false "honeyword" passcodes that when entered would trigger alarms that account hijacking attacks are underway.

The suggestion builds on the already established practice of creating dummy accounts known as honeypot accounts. It comes as dozens of high-profile sites watched user data become jeopardized—including LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and eHarmony to name just a few from the past year. Because these dummy accounts don't belong to legitimate users of the service and are normally never accessed, they can be used to send a warning to site administrators when attackers are able to log in to them. The new, complementary honeyword measure—proposed in a research paper titled "Honeywords: Making Password-Cracking Detectable—was devised by RSA Labs researcher Ari Juels and MIT cryptography professor Ronald Rivest, the latter who is the "R" in the RSA cryptography scheme.

The new measure calls for a file storing cryptographically hashed passwords to contain multiple passwords for each account, only one of which is valid. Attackers who manage to crack the hashes would have no way of knowing if the corresponding plain-text password is real for a particular user. Logging into an account using one of the decoy passwords would immediately cause a "honeychecker"—located on a separate, hardened computer system—to issue an alert to administrators that the database has been compromised.

"This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by" cracking, the researchers wrote. "Thus, honeywords can provide a very useful layer of defense."

Sites that used the system might store 20 hashed passwords for each user—only one that actually logs the user into the account. The hardened monitoring server would check if each password was the real one or one of the honeywords. Login attempts that used any of the fake 19 honeywords would immediately be reported. Admins could program the system to respond to the honeywords in a variety of ways, including suspending the particular account pending a security reset or letting the login proceed but on a "honeypot system," which is a trap designed to monitor the breach and prevent attackers from accessing a real account.

"The trick is to make the remaining 19 passwords look as good as the actual password, so the attacker is as likely to crack one of them as she is to crack the real password," Matt Green, a professor specializing in cryptography at Johns Hopkins University, told Ars.

The honeywords proposal has already captured the attention of security experts, some who were quick to point the side effects of such a system. If not implemented carefully, it might allow attackers to deliberately lock huge numbers of users out of their accounts. To limit the possibility of such denial-of-service attacks, the researchers proposed several measures that should be built into the honeyword system.

The researchers went on to point out the obvious, namely that a honeyword system doesn't prevent brute-force and dictionary attacks.

"However, the big difference when honeywords are used is that a successful brute-force password break does not give the adversary confidence that he can log in successfully and undetected," they concluded. "The use of a honeychecker thus forces an adversary to either risk logging in with a large chance of causing the detection of the compromise of the password-has file... or else to attempt compromising the honeychecker as well."