It seems like every other week another high-profile company’s servers are hacked. Last November, for example, Adobe suffered a security breach and as many as 150 million users’ may have been affected. Instead of crying about it, two security researchers are using these data dumps to try to thwart the next attackers, with a clever new method called Honey Encryption, reports MIT Technology Review.
With Honey Encryption, when hackers try to decrypt a secure database, they won’t know if they’ve correctly guessed the encryption key. Normally, an incorrect guess would return a garbled mess. But with Honey Encryption, an incorrect guess will return a fake, but legitimate-looking database that is based in part on the database dumps from previous security breaches.
Security researchers Ari Juels and Thomas Ristenpart developed Honey Encryption because they believed “[decoys] and deception are really underexploited tools in fundamental computer security.”
Right now, Juels is using Honey Encryption to create a fake password vault generator for password managers. While password managers may help users create complex and unique passwords for individual accounts, users often use weak master passwords because they frequently have to type them in. As a result, password managers are frequently the target of attackers.
To build the fake password vault generator, Juels is taking advantage of previous security breaches, using collections from previously hacked password managers and from other services.