SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Honeywords in SQL Server

By Steve Jones,

As  we become more and more security conscious, it becomes more important not only to configure systems for better security, but also to add more monitoring and auditing to detect when problems occur. We know that at some point someone will attempt to hack our systems. Many of us have auditing set up to detect failed logins, but is that good enough?

If a hacker manages to gain access to your password hashes, and it's not a stretch these days to think that they might, wouldn't you like to know if they manage to find the plain text that corresponds to the hash? There's an idea that systems could be written to store multiple passwords for user accounts, but only one of which is valid. A separate system detects attempts to log in with the false passwords and alerts administrators to a hacking attempt.

This is an interesting idea, and while it won't solve all our problems, it will solve some. If a brute force attack occurs on an account, and multiple passwords are being tried, all of which are known to be false (the honeyword passwords), administrators can be notified, and warnings passed on to users. It doesn't help if the hacker chooses the correct password to enter first, but with enough honeywords, you reduce the chances that they will.

I don't know that I'd like to see this for SQL Server, but I certainly would like to see additional security features. Two factor authentication would be nice, perhaps even some sort of  approval process enabled that required multiple approvals for some changes. The latter would help us prevent the cowboy DBA from making changes without anyone else being aware of them.

Detection of breaches, using something like honeywords, provide another layer of security. They don't prevent hacks, but they can help us deal with them.

Steve Jones

The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Total article views: 179 | Views in the last 30 days: 1
Related Articles

Intrusion Detection Systems

Are Intrusion Detection Systems services worth it?


Password Help

Passwords control most of our access to computer systems and provide some level of authentication, b...


The Secret Password

The secret passwords we store in systems might be secure from discovery, but are they secure from us...



Storing passwords securely


Finding Passwords

There was a vulnerability announced in the SQL Server password system last week, but Steve Jones doe...