Introduced by Juels and Rivest in 2013, Honeywords, which are decoy passwords stored alongside a real password, appear to be a proactive method to help detect password credentials misuse. However, despite over a decade of research, this technique has not been adopted by major authentication platforms. This position paper argues that the core concept of Honeywords has potential but requires more research on issues such as flatness, integration, and reliability, in order to be a practical deployable solution. This paper examines the current work on Honeyword generation, attacker modeling, and honeychecker architecture, analyzing the subproblems that have been addressed and ongoing issues that prevent this system from being more widely used. The paper then suggests a deployable framework that combines the attacker-resilient, context-aware decoy creation that Honeywords provide with easy integration into existing systems. Honeywords will only move from an academic idea to a practical security tool if technical advances are paired with secure and straightforward architectures, along with adaptive response handling and detailed configuration checks.

翻译：Honeywords由Juels和Rivest于2013年提出，作为一种与真实密码一同存储的诱饵密码，似乎是一种主动检测密码凭证滥用的方法。然而，尽管经过十多年的研究，该技术尚未被主流认证平台采纳。本立场论文认为，Honeywords的核心概念具有潜力，但需在平坦性、集成性和可靠性等问题上进行更多研究，才能成为实际可部署的解决方案。本文审视了当前关于Honeyword生成、攻击者建模和honeychecker架构的研究，分析了已解决的子问题及阻碍该系统更广泛应用的持续性问题。随后，本文提出了一个可部署的框架，该框架结合了Honeywords提供的抗攻击、上下文感知的诱饵生成能力，并易于集成到现有系统中。只有将技术进步与安全简洁的架构、自适应响应处理及详细配置检查相结合，Honeywords才能从学术理念转变为实用的安全工具。