Honeywords - Detectable Password Theft

my name's Gavin halt I'm a fourth year older student at a university all the way up in Dundee and when the organizer of the security 3 conference that happened in January and I'm the outgoing president of the protocol hacking society so started so Abby's summary what we're covering today so why password safe is so dangerous because I think some people forget other replications other than how passwords are currently being stored the good the bad in the plaintext ship it you can buy me a beer later and how honey works can be implemented what honey words are the benefits of honey words why honey words will not save us all a quick summary of everything we

discussed and they'll take some some questions so why is passport safe so dangerous and it's a pretty obvious answer because someone has your password speaks for itself but the less obvious answer that the shroom will hopefully not resonate with is because then someone has your password for everything PayPal did a survey two years ago 60 Plus percent of user refused the same password across multiple websites so it doesn't matter if Facebook stores your passwords securely if it's the same password for Tesco or any other place that has a password breach they now have your Facebook password and directly there was a 300% increase in a single quarter and password theft I think everyone will remember you know

boom boom big sites getting hurt and some of the numbers are absolutely scary when ten six point five million Zappos 12 million Evernote 50 million and the infamous Adobe 38 million and some things you wonder why we bother stealing passwords because you only need to steal passwords if you can't guess the password so if you have a look at some of the Adobe breach this is a wonderful graphic that's online so I said the Adobe passport data on the left and the password hints for in plain text so rains with a squirt him six times one so with that sort of stuff here you do kind of wonder why we actually still need to steal passwords and then true geek

fashion there was an xkcd is the degree is crossword puzzle and history it's all the passport ends from plane tags in the passwords were safe word there's a lot of usernames and passwords out there if I know what you're all thinking people don't store passwords in plain text they then work out and do they anyone ever been to that website they're made of people that store passports plane takes to do that up until very recently I believe the GCHQ recruitment system stored the past were just plain text they already know anyway I suppose okay but the bad guys are doing it right so that's fine your muscle coursework website plaintext passwords that's fine but the bad guys

are doing it right LinkedIn six point five million passwords weird insulted and even if people do so passwords they don't always use a pair user so all it takes is a team memory trade off people can regenerate all the rainbow tables so salting doesn't stop a targeted attack and for you gaming guys who absolutely love your new graphics cards that's great for hackers as well because password cracking is getting faster you don't even need to have a GPU in front of you you can rent for about two bucks and ever and hours include an instance with a GPU and cracker it the keyless number of passwords so making the hashing more complex and resource and

tenth is only part of the solution to stopping password safe because when someone's got the dump if they've determined to use it they well we can use target attacks they can spend lots of time on it but how do you know if your password has ever been stolen so if you're a company you might have IPS you may have ideas you may take some anomalies but how would you know if passwords have been stalling used and the chances are you probably want some sneaky sis admins may put some fake system accounts and their Active Directory over so for example if Rory logs in they can assume they can assume they've been compromised because user Rory doesn't actually work there's a few

coding SS admins put in it's a pretty nifty idea honeypot accountants but hackers are sneaky they can look at the user account and see if it's actually used you can see how often it's used they can see is permissions because if you create a honeypot account this actually got access to you reading you're being stupid so hackers I think access this account needle to profile let me tell you if it's a legit account or not so thick user accounts aren't quite to fill proof but we like the idea of making a high-risk guessing game for the attacker that has your data so what if we had to fake passwords so this is about the concept of honey words come in it was

first discussed in a paper by two guys Jules and reversed over at MIT last me and the basic theory is after every user account there are multiple passwords with all one legitimate password can be detect passport theft by watching for the use of no one fake passwords in the database so a traditional unsalted md5 may look something like this so Gavin's passwords taste one roley's passwords test2 and Thiago's as password so f this database was compromised they would get whole database fired up something like join the wrapper arabic chunky rainbow table and they'll get the plaintext passwords back ingame they've got your passwords so let's implement honey works so how would you even go about making fake passwords they have to

be believable so if you've got 100 entries and pain to name them a really secure passwords and one of them is password the real password stands out equally if the user have got a really strong password and you've got cat dog most sheep or if they're all the same case they'll be taken by animals the fake passports become particularly obvious so how do they make honey works they have to be believable there has to be some low-hanging fruit because they have to be crackable in order for the I have to use them there has to be some tough passports to leave the attacker guessing if they've actually cracked the right passwords or not as I discovered

when I'm writing a technical demo for this you need to make sure that you don't accidentally generate a honey border for the users actual password that's that wasn't there to be fixed up and we need to make sure that we can identify the fake passwords because if you can then you can really use them so I started to dictionary so lightly the handful of what is a varying length and in order to decide how hard I wanted to meet the password crack I mangled it up in lowercase letters some things pre-painted numbers and symbols painters numbers and symbols substituted symbols then so threes and fives and aces and things then concatenate what's together again making

sure we don't accidentally use our user password so then we need to take a correct check some of your users password and we need to create some fake check sums for all the Honeywell so generate it so a database now looks something like this so user Gavin Rudy Tiago and in a separate passwords table you've got your password hashes and your check sums so our new method of attack would be attacker gets hold of a database files up John gets the plaintext back but in our example here the volley got one in five twenty percent chance of getting the right password one in five still quite a big chance after your thwarts of users lots of data

big critical system but we can easily scale up just by adding more honey words so what would the workflow look like for a faint key thing against that you would start with your web server see the password in hash and pass it to the database server the DPA Sara retrieves the checksum where the user ID and hash match and pass it to the indication server so if you don't get a hash match on that user ID then it's just simply a wrong password the user must type something like that it's a wrong password it's not threat if they do get hurt it takes the checksum passes it's an education server notification server does is it performs an additional check

the same check used to generate the checksum on the hash that was sent and what this does is it compares the hash it was saying the checks I was saying the checksum it generated to insure that the password that you've taped in is the one that we took to be the users true pass about a point J in everything all the honey words and that will return true or false to the web server so the web server gets back true great real user login they can log in if it gets back false at this stage we know that yes the password exists in the database but no it's not our users password therefore we know that our password

database has been stored so in order to be in a hundred percent see the attacker would have to get and to all three of these boxes and reverse-engineer all the functions to get a checksum to see which passwords correct so now we need to know way so nobody know rather when a password is in public as its database is used we can only take password theft easy as that so afraid when they thought this was going to be really technical and clever it's literally just more passports so what else can we do with it we can do some clever things so what if we regenerated the fake passport periodically could we use that the Chairman way in the

password database was torn internally also companies have different organ systems may not all use single sign-on so what if you could use this to determine we need a password breach and for fuser passwords across the board so if you're the central API API is the most common type of honeybee by the way the interesting fact because when you search API use honey words doesn't come up with much a partial picture for bees so essentially pi4 service to use so you can pass all the knowing user id's of compromised users into this service I'm gonna try a finiti in something else in your organization we can detect there's a potential their passwords been compromised enforce a visa across across

the company so what are the benefits of honey words they can be used to detect password theft I don't this is based on my dissertation I don't quite a bit of reading on it Natalie and that doesn't appear to be any other way of detecting password theft reliably you can use IDs you can IPS you can see the data's exfiltrated you can see successful login attempts from places you may not expect but as far as I can tell this is one of the few ways you can actually detect passport theft can be used to prevent the use of stolen credentials if you know passwords being stolen you can they present prevent its use across your whole organization

invade warnings to other services that there's passwords potentially getting reused and it can be used the ter attackers from trying to compromised account policies start honey words as a magic solution honey words isn't going to save us from everything honey war just won't stop your service being compromised if I've got your passport fail something has went wrong before now if I'm able to ace we'll treat this data from your database get a hold of your passport fail get access to your ad to dump the hashes some things went wrong before now honey words won't stop the past ones from being tracked people will still potentially get the plain text correct password it's not stopping people from

stealing passwords just to taking their theft honey borders won't stop attackers from gaining the legit passport by other methods social engineering key loggers or if the users passport as just a passport it wouldn't stop someone from just breathing it honey words are not a replacement to strong password policy in user awareness if you use it are still generating really really crowd parts or are still being allowed to use really really crap passwords and honey words will not save you Stanford University last two weeks of published critical paper and their theory is the longer your password is the less complex it has to be and they've been forced us across the entire campus so if you've got eight

character password that has to have two offers two lowers couple of symbols has to be a certain level of complexity if you've got 27 character sentence that can be all lowercase so they're not looking security get in the way of good passwords they're allowing people to have really good passwords but the people who are going to try impact rubbish passwords we're stopping them so in summary honey words away for detectable passports thereby seeding a database with known wrong passwords watching for these passwords in the system allows you detect when I've had the database tone by modifying passwords periodically honey what should be varying difficulty to disguise themselves I think that's one of the most important things if you try and

take this away to implementer is your honey words have to be uncrackable right down to low-hanging fruit because if verse thick so you've lost the point of honey words are not a replacement for strong password policies strong storage mechanism or getting your users to secure themselves as anyone any questions so if somehow the mechanism to generate wrong password should take into account the correct password to try to make yeah well absolutely system equally knows the plaintext password when it's hashing

yeah yeah we'd be plain text and memory for little bit longer

that's something I've not worked yet if someone has a dictionary and they're breathing then potentially they could but we should be real a meeting at I'm saying anyway so the chances of it being in the first four attempts five attempts are unfortunately slim again if it happens and if the system resets itself then that's something to look at this threshold perhaps of when you were triggered on the way out for theft anymore I'm led to believe lunch is impending doing the mean for you so I think if you head down there after this this lunch it just after 10 past 1:00