Security Corner

Jan 17 2012   10:57AM GMT

What the heck is a password honeypot?

Ken Harthun Ken Harthun Profile: Ken Harthun

Has your Gmail, Yahoo, Hotmail or Skype account ever been hacked? If so, you either have an extremely guessable password, or you gave hackers your login credentials by putting them into a password honeypot. What the heck is a password honeypot? Good question. Let me give you a bit of background.

The good guys who fight malware set up servers and computers that are directly connected to the Internet and which are deliberately left vulnerable to malware infection. They do this knowing that the bad guys will infect the machines as soon as they find them. The good guys then have an in-the-wild copy of the malware that they can reverse engineer to see how it works. This is the good version of a honeypot.  All of the major anti-malware companies continually monitor their honeypots to discover new malware and variants of old malware.

The bad guys want to hack you and steal your credentials so they can gain access to your accounts for nefarious purposes, such as sending spam, stealing the money from your bank accounts, hijacking your credit card numbers, or even stealing your identity. Besides other, more conventional methods such as email links and poisoned search results, the bad guys set up websites that pretend to give you access to good stuff, often free software, games, etc, and force you to “create an account” to gain access. This is the bad version of the honeypot.

The bad guys know that most people always use the same login name for everything and often also use the same password for everything. Create an account on one of these password honeypots, and there’s a good chance the bad guys have what they need to make your life miserable. Once they have the credentials you used to create the honeypot account, the bad guys (or their hired cronies) will try those credentials on all of the major email, social networking, banking, and credit card sites.

This is one very good reason never to use the same password on more than one site; and, certainly never use the same credentials ad your financial accounts. I have a very specific username for certain types of sites I don’t trust and I always use an unguessable, different password for each one.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: