This seems absurdly complicated, much like the multi machine password splitting scheme being peddled by RSA. It assumes we have two servers, an insecure one with a passwd database and a secure one with a honey passwd database. So we make the insecure server double check the login with the secure server? Seems a lot simpler to just go ahead and move the passwd database to the secure server and have all logins go through there.
This also didn’t make sense to me:
An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword.
So this is only to prevent the case of someone compromising a server, getting a list/database table of account password hashes, trying to crack them offline, and then log back into that same site as those users.
If someone has enough access to a server to get the list/database table of hashed passwords, they probably have enough access to also steal most of the user data without having to login as each user. The primary concern for theft of a password list is that it gives an email address and possible plaintext password that they can use to login to another, possibly more valuable site as that user, which this honeyword concept won’t protect against.
100% agreed. I didn’t mention that because it’s outside the very limited scope they claim to be solving.
I cynically suspect this was done just to fluff up the RSA product they’re selling. “Look, PhD papers and stuff.” Maybe RSA will sell you a service where everybody can subscribe to a list of honeywords and then for the low low price of $X/month you can detect login attempts using somebody else’s stolen password database.