Computer: Security: Password
Honeypot Password   (+5)  [vote for, against]
If someone's going to hack in, make it really easy for them.

In many business networks users are forced to change their passwords on a regular basis. Some of these users, to avoid that embarassing "I've forgotten my password" call to the IT department, write their password down, or choose something very obvious.

The honeypot password, or passwords, would configurable anti-passwords that, if used, would alert the IT department (and/or security) that the account was being hacked. They would consist of passwords that the user feels are too obvious for them to use, previously compromised passwords and a core list of frequently used passwords maintained by the IT department. You could even write one of them down on a post-it note and stick it under the keyboard.
-- st3f, Oct 06 2003

Panic PIN http://www.halfbake...om/idea/Panic_20PIN
The unashamed inspiration. [st3f, Oct 05 2004, last modified Oct 17 2004]

Design and Implementation of a Sniffer Detector http://www.raid-sym...tml#Grundschober_31
By Stephane Grundschober of IBM, presented at RAID 1998. Quoting: "The tool then waits for the intruder to use the information bait. Nobody besides the intruder has knowledge of these accounts and passwords. If someone reuses these pairs, the tool recognizes symptoms of an attack and can trigger an alarm" [krelnik, Oct 05 2004, last modified Oct 21 2004]

(?) Password Filter API on Windows http://msdn.microso...ters.asp?frame=true
This could be used to prevent a user from setting their actual password to one of the honeypot passwords. [krelnik]

LASEC http://lasecpc13.epfl.ch/ntcrack/
I tried this when they had the password cracker demo up - very fast. [krelnik, Oct 05 2004, last modified Oct 21 2004]

LASEC http://lasecpc13.epfl.ch/ntcrack/
I tried this when they had the password cracker demo up - very fast. [hippo, Oct 05 2004, last modified Oct 17 2004]

(Honeypot?)

Three questions:
Who establishes these passwords?
Where are they established?
How is the user informed the passwords are off limits?
-- phoenix, Oct 06 2003


phoenix: Oh yes, honeyPOT. Thanks. (idea renamed)

The core set of honeypot passwords I'd see as being established by the IT department. Things like 'password', the names of football teams and so on. Users trying to change their password to one of these would be politely told that they can't.

The account specific ones could be set up by the user when they change their password:
"Enter one password that gets you into your account and one that sets of the alarm system,"
or by IT:
"You think that they were looking intently at the keyboard when you typed your password, Mr Jones? OK, I've set your old password to go honeypot after one more login. Log in now and you'll be prompted to change your password. The old one will set of the alarms if you use it after that."

jutta: The mass crack is probably more common these days, and that should set off the alarm bells by the sheer volume of attempts. This system should trigger when a dictionary was thrown at a remote interface, but it's not really the best tool for that.
-- st3f, Oct 06 2003


I saw a paper presented by some folks from IBM Zurich at an intrusion detection conference that was a very elaborate system for doing just this. Once the honeypot passwords were established, they would actually deliberately transmit traffic in protocols that use clear-text passwords (telnet, FTP, HTTP and so on) in an attempt to "lure" an observing hacker to use the passwords. It was all three-tiered stuff with a highly elaborate infrastructure and so on.

The funny part was they never once caught a hacker using this system.

[edit] Yes, I found the link. It was at the very first Recent Advances in Intrusion Detection (RAID) conference, held in 1998 in Belgium.

//How is the user informed the passwords are off limits?//
In Windows there's an API that allows you to 'hook' the password change procedure with your own code in a DLL, you could use that to prevent anyone from setting their "real" password to one of the honeypot passwords.
-- krelnik, Oct 06 2003


Given that honeypot passwords sort of already exist in the form of the default admin passwords that all too many systems have, you could just reroute those, since those are the first line of attack for hackers.
-- DrCurry, Oct 06 2003


krelnik, you're a star. The depth and breadth of the knowledge of the core (corps?) of halfbakers never ceases to amaze me.

DrCurry: I like it. It's a neat first approximation that doesn't require you to create the concept of an 'anti-password' within the operating system. Wouldn't stop a targeted attack on another account, though.
-- st3f, Oct 06 2003


<bows>
-- krelnik, Oct 06 2003


Isn't it a bit of a secutity hole that you can actually download the whole password database? Does this have any legitimate purpose that couldn't be met by other means?
-- st3f, Oct 06 2003


Well even on systems where a mass download is not feasible, cracking attacks can still be attempted. For instance, Windows logins use a cryptographic hash algorithm on connect, but attacks have been mounted on it. So you just need a way to peek at the connection traffic between the client and the server. This is why having a 'Sniffer' on an attacked network is so useful to a hacker, and why IBM wanted to detect them.

That's also why occasionally actually using the passwords in ways that a hacker might detect, would be useful to this scheme. The post-it under the keyboard is a first step in that direction, the IBM paper describes an incredibly elaborate one.
-- krelnik, Oct 06 2003



random, halfbakery