Security experts have put forward the idea of “honeywords” – fake passwords that if used by a hacker while trying to gain access to someone’s account, would trigger an alarm.
This particular idea stems from a common practice amongst companies of creating “honeypot” accounts. Fake user accounts which don’t belong to anyone, but when accessed send an alert the company, letting them know there is an attempted hack underway.
The new measure would mean each account has a file that stores multiple cryptographically hashed passwords. If a hacker managers to crack these hashes, they would still have no way of determining which password is the real one. When they try to enter one of the fake passwords, a “honeychecker” would alert administrators of the hack attempt.
Depending on the preferences of the company, this could temporarily suspend the users account until they reset their password, or it could allow the hacker access to a “fake honeypot” in which their behaviour and activities are tracked.
There are some drawbacks, such as a hacker deliberately setting off the alarm for a huge number of attacks, denying users access to their accounts in the process, but these are minimal when looked at alongside the advantages.