As online threats keep evolving, storing passwords securely has become a constant challenge for developers. The usual methods, like hashing and salting passwords with algorithms such as Argon2, bcrypt, or PBKDF2, have worked well to make brute-force attacks harder. But as attackers get more sophisticated, these techniques alone may not be enough—especially for larger systems where a breach could be disastrous. Let’s dive into two creative approaches for password storage — Honeywords ** and **Rock Salt — that add layers of security with a focus on detection and resilience.
This article is not a recommendation; its intention is to stimulate thought by exploring unorthodox approaches.
Why Password Storage Needs a New Twist
Passwords are the gatekeepers of web applications. But traditional methods like salted hashes have their limits when facing today’s complex threats. This is where Honeywords and Rock Salt come in handy. Honeywords add fake passwords to trip up attackers and detect unauthorized access, while Rock Salt uses a unique, ultra-secure key to further protect against brute-force attacks. Together, they offer developers new ways to protect passwords against increasingly savvy cyber threats.
Honeywords: Decoy Passwords That Fight Back
The Honeywords technique spices things up by creating decoy passwords— “honeywords” — that sit alongside each real password in the database. These decoys look like the real thing but are designed to detect an attacker. If an attacker somehow gains access to the database and tries one of these honeywords, a separate system, the Honeychecker, will recognize the fake and trigger an alert, tipping off administrators that something’s up. Legitimate users remain unaffected since only the Honeychecker knows which passwords are real. Honeychecker is essentially just a separate system which keeps track of which passwords are real and which are decoys.
Imagine an attacker breaking into a database and attempting to use a password hash they think is legitimate. If they unknowingly pick a honeyword, the system flags this attempt, giving admins the chance to step in quickly. This way, Honeywords help catch intruders early on, increasing the chances of detecting breaches before significant damage is done.
How to Set Up Honeywords in Practice
Adding Honeywords is pretty straightforward. Each time a user creates or updates their password, the system generates several honeywords and shuffles them in with the real one. Only the Honeychecker knows which one is genuine. During login attempts, the Honeychecker verifies if the entered password is correct or just a decoy. If a decoy is used, an alert is raised for admins to investigate.
Creating convincing decoys can be tricky; they need to look realistic so attackers can’t easily tell them apart from real passwords. Many systems automate this by using algorithms to generate honeywords that mimic real passwords. That way, it’s hard for intruders to guess which ones are real.
Rock Salt: Password Security with a Physically Protected Key
While Honeywords focus on catching attackers in the act, Rock Salt’s strength lies in adding brute-force resilience by involving a physically protected Very Large Key (VLK). Here’s the basic idea: most password systems only involve hashing and salting, where an attacker could theoretically make countless guesses to reverse the password hash. Rock Salt changes this by making password verification depend on both the hashed password and access to a unique VLK stored in a secure, restricted-access Rock Salt Server (RSS).
Here’s how Rock Salt’s VLK works in practice:
Password Entry and Hashing: When a user logs in, their entered password is hashed with a “salt”—an additional random value that varies by user.
Salt Sent to the Rock Salt Server: This salt, along with the hashed password, is sent to the RSS. Inside the RSS, the salt acts as a kind of “map” to a specific segment of the VLK, essentially saying, “Give me these specific bytes.”
Combining Salt and VLK: The RSS uses these requested bytes of the VLK and combines them with the salt to generate a Rock Salt—a unique, one-time value that cannot be replicated without access to the RSS and VLK. This Rock Salt is then combined with the password hash to generate a final, unique hash element.
Final Hash Comparison: This final hash is what gets compared to the stored hash in the database. If it matches, access is granted; if not, the login attempt is denied.
By involving the VLK in every login attempt, Rock Salt makes brute-force attacks nearly impossible. Attackers would need access to both the hashed passwords and the secure VLK server, which is designed to be physically protected and inaccessible outside of verification.
This system’s resistance to quantum computing and its reliance on physical security make Rock Salt an ideal solution for environments requiring long-term and high-resilience password protection.
Honeywords vs. Rock Salt: How They Work Together
Honeywords and Rock Salt have different strengths, but they work well together. Honeywords focus on detection, providing an early warning if an intruder is trying to break in, while Rock Salt offers brute-force protection, making it harder for anyone to crack passwords even if they’ve breached the database. Honeywords are simpler to deploy, so they’re ideal for systems that need an alert mechanism, while Rock Salt is better for environments with the infrastructure for secure physical storage.
Real-World Applications of Honeywords and Rock Salt
For web platforms with frequent user logins—like social media or e-commerce sites—Honeywords can be a lifesaver. They make it easier to spot intrusions quickly. If an attacker ever gets their hands on login data, honeywords can act as an immediate alarm when one of the fake passwords is used.
Rock Salt is perfect for places like banks or big corporations with highly sensitive data. Since the approach requires a bit of hardware security, it’s best suited to large-scale organizations that can handle the additional infrastructure.
Potential Hurdles and Downsides
For Honeywords, the main challenge is generating decoys that look real. Advanced honeyword generators use behavior models to make believable honeywords, but they need updating over time to stay effective. Rock Salt’s biggest hurdle is its cost, given the hardware and security requirements involved, which might be overkill for smaller applications. Of course it's quite easy to implement Rock Salt in a DIY fashion, by just storing few terabyte random file on a separate server and using it as "difficult to leak VLK".
Making the Most of Both Techniques
Using Honeywords and Rock Salt together can offer the best of both worlds. Honeywords give you that immediate alert if an intruder tries to use a decoy, while Rock Salt makes the real passwords tougher to crack. To make this work, developers should keep the honeywords fresh and manage Rock Salt’s storage securely across systems.
References
Honeywords: Making Password-Cracking Detectable by Ari Juels and Ronald L. Rivest
Rock Salt: A Method for Securely Storing and Utilizing Password Validation Data by Arnold Reinhold