Logo

dev-resources.site

for different kinds of informations.

Two Unconventional Ways to store Passwords: Honeywords & Rock Salt

Published at
10/31/2024
Categories
honeywords
passwords
security
hashing
Author
dissimilis
Author
10 person written this
dissimilis
open
Two Unconventional Ways to store Passwords: Honeywords & Rock Salt

As online threats keep evolving, storing passwords securely has become a constant challenge for developers. The usual methods, like hashing and salting passwords with algorithms such as Argon2, bcrypt, or PBKDF2, have worked well to make brute-force attacks harder. But as attackers get more sophisticated, these techniques alone may not be enoughโ€”especially for larger systems where a breach could be disastrous. Letโ€™s dive into two creative approaches for password storage โ€” Honeywords ** and **Rock Salt โ€” that add layers of security with a focus on detection and resilience.

This article is not a recommendation; its intention is to stimulate thought by exploring unorthodox approaches.

Why Password Storage Needs a New Twist

Passwords are the gatekeepers of web applications. But traditional methods like salted hashes have their limits when facing todayโ€™s complex threats. This is where Honeywords and Rock Salt come in handy. Honeywords add fake passwords to trip up attackers and detect unauthorized access, while Rock Salt uses a unique, ultra-secure key to further protect against brute-force attacks. Together, they offer developers new ways to protect passwords against increasingly savvy cyber threats.

Honeywords: Decoy Passwords That Fight Back

The Honeywords technique spices things up by creating decoy passwordsโ€” โ€œhoneywordsโ€ โ€” that sit alongside each real password in the database. These decoys look like the real thing but are designed to detect an attacker. If an attacker somehow gains access to the database and tries one of these honeywords, a separate system, the Honeychecker, will recognize the fake and trigger an alert, tipping off administrators that somethingโ€™s up. Legitimate users remain unaffected since only the Honeychecker knows which passwords are real. Honeychecker is essentially just a separate system which keeps track of which passwords are real and which are decoys.

Imagine an attacker breaking into a database and attempting to use a password hash they think is legitimate. If they unknowingly pick a honeyword, the system flags this attempt, giving admins the chance to step in quickly. This way, Honeywords help catch intruders early on, increasing the chances of detecting breaches before significant damage is done.

How to Set Up Honeywords in Practice

Adding Honeywords is pretty straightforward. Each time a user creates or updates their password, the system generates several honeywords and shuffles them in with the real one. Only the Honeychecker knows which one is genuine. During login attempts, the Honeychecker verifies if the entered password is correct or just a decoy. If a decoy is used, an alert is raised for admins to investigate.

Creating convincing decoys can be tricky; they need to look realistic so attackers canโ€™t easily tell them apart from real passwords. Many systems automate this by using algorithms to generate honeywords that mimic real passwords. That way, itโ€™s hard for intruders to guess which ones are real.

Rock Salt: Password Security with a Physically Protected Key

While Honeywords focus on catching attackers in the act, Rock Saltโ€™s strength lies in adding brute-force resilience by involving a physically protected Very Large Key (VLK). Hereโ€™s the basic idea: most password systems only involve hashing and salting, where an attacker could theoretically make countless guesses to reverse the password hash. Rock Salt changes this by making password verification depend on both the hashed password and access to a unique VLK stored in a secure, restricted-access Rock Salt Server (RSS).

Hereโ€™s how Rock Saltโ€™s VLK works in practice:

  1. Password Entry and Hashing: When a user logs in, their entered password is hashed with a โ€œsaltโ€โ€”an additional random value that varies by user.

  2. Salt Sent to the Rock Salt Server: This salt, along with the hashed password, is sent to the RSS. Inside the RSS, the salt acts as a kind of โ€œmapโ€ to a specific segment of the VLK, essentially saying, โ€œGive me these specific bytes.โ€

  3. Combining Salt and VLK: The RSS uses these requested bytes of the VLK and combines them with the salt to generate a Rock Saltโ€”a unique, one-time value that cannot be replicated without access to the RSS and VLK. This Rock Salt is then combined with the password hash to generate a final, unique hash element.

  4. Final Hash Comparison: This final hash is what gets compared to the stored hash in the database. If it matches, access is granted; if not, the login attempt is denied.

By involving the VLK in every login attempt, Rock Salt makes brute-force attacks nearly impossible. Attackers would need access to both the hashed passwords and the secure VLK server, which is designed to be physically protected and inaccessible outside of verification.

This systemโ€™s resistance to quantum computing and its reliance on physical security make Rock Salt an ideal solution for environments requiring long-term and high-resilience password protection.

Honeywords vs. Rock Salt: How They Work Together

Honeywords and Rock Salt have different strengths, but they work well together. Honeywords focus on detection, providing an early warning if an intruder is trying to break in, while Rock Salt offers brute-force protection, making it harder for anyone to crack passwords even if theyโ€™ve breached the database. Honeywords are simpler to deploy, so theyโ€™re ideal for systems that need an alert mechanism, while Rock Salt is better for environments with the infrastructure for secure physical storage.

Real-World Applications of Honeywords and Rock Salt

For web platforms with frequent user loginsโ€”like social media or e-commerce sitesโ€”Honeywords can be a lifesaver. They make it easier to spot intrusions quickly. If an attacker ever gets their hands on login data, honeywords can act as an immediate alarm when one of the fake passwords is used.

Rock Salt is perfect for places like banks or big corporations with highly sensitive data. Since the approach requires a bit of hardware security, itโ€™s best suited to large-scale organizations that can handle the additional infrastructure.

Potential Hurdles and Downsides

For Honeywords, the main challenge is generating decoys that look real. Advanced honeyword generators use behavior models to make believable honeywords, but they need updating over time to stay effective. Rock Saltโ€™s biggest hurdle is its cost, given the hardware and security requirements involved, which might be overkill for smaller applications. Of course it's quite easy to implement Rock Salt in a DIY fashion, by just storing few terabyte random file on a separate server and using it as "difficult to leak VLK".

Making the Most of Both Techniques

Using Honeywords and Rock Salt together can offer the best of both worlds. Honeywords give you that immediate alert if an intruder tries to use a decoy, while Rock Salt makes the real passwords tougher to crack. To make this work, developers should keep the honeywords fresh and manage Rock Saltโ€™s storage securely across systems.

References

Honeywords: Making Password-Cracking Detectable by Ari Juels and Ronald L. Rivest
Rock Salt: A Method for Securely Storing and Utilizing Password Validation Data by Arnold Reinhold

hashing Article's
30 articles in total
Favicon
What is Hashing? A Complete Guide for Developers and Security Professionals
Favicon
The Evolution of Hashing Algorithms: From MD5 to Modern Day
Favicon
Pattern 9: Hashing
Favicon
Lithe Hash: Um Mรณdulo Robusto para Hashing Seguro de Senhas
Favicon
The Bcrypt Algorithm for Secure Password Hashing
Favicon
Sorting Algorithms That Use Hash Tables
Favicon
๐–ค๐—‡๐–ผ๐—‹๐—’๐—‰๐—๐—‚๐—ˆ๐—‡ ๐–บ๐—‡๐–ฝ ๐–ง๐–บ๐—Œ๐—๐—‚๐—‡๐—€: ๐–ง๐—ˆ๐— ๐–ณ๐—๐–พ๐—’ ๐–ฏ๐—‹๐—ˆ๐—๐–พ๐–ผ๐— ๐–ธ๐—ˆ๐—Ž๐—‹ ๐–ฃ๐–บ๐—๐–บ ๐–ฃ๐—‚๐–ฟ๐–ฟ๐–พ๐—‹๐–พ๐—‡๐—๐—…๐—’
Favicon
Two Unconventional Ways to store Passwords: Honeywords & Rock Salt
Favicon
Difference Between Encryption and Hashing ๐Ÿ”๐Ÿ”‘
Favicon
Basic File Integrity Monitoring System
Favicon
Lithe Hash: A Robust Module for Secure Password Hashing
Favicon
Comparative Analysis of Password Hashing Algorithms: Argon2, bcrypt, scrypt, and PBKDF2
Favicon
Cryptojs vs. Bcryptjs: Which password hashing method should you trust?
Favicon
Distributed Hash Generation Algorithm in Python โ€” Twitter Snowflake Approach
Favicon
Understanding Bcrypt Rounds: Balancing Security and Performance
Favicon
Wednesday Links - Edition 2023-05-03 ๐Ÿ‡ต๐Ÿ‡ฑ๐Ÿ“œ
Favicon
Understanding Hashing Algorithms: A Beginner's Guide
Favicon
Hashing in Blockchain Technology: How it Ensures Data Integrity
Favicon
Using Hash Codes as Unique Identifiers
Favicon
What is Password Hashing Algorithm?
Favicon
Hashing
Favicon
๐Ÿ”How to encrypt variables in NodeJS
Favicon
Lava lamps securing the Web?๐Ÿคทโ€โ™‚๏ธ
Favicon
What is the difference between encryption, hashing and salting?
Favicon
Security in The Blockchain
Favicon
Hashing Algorithms and creating a simple file integrity monitor (FIM)
Favicon
Hashing, Explain it to me like I'm 5.
Favicon
#Hashing in Java
Favicon
How to hash a password in Go
Favicon
Sony FAIL : why it is absolutely necessary to encrypt passwords

Featured ones: