Hi everyone,
I’ve just published django-amnesia-honeywords, a drop-in authentication backend that adds honeyword-based breach detection to Django - built as part of my MSc thesis at TU Delft on why honeywords haven’t been adopted in practice.
What problem does it solve?
When attackers breach a credential database, they crack hashes offline - silently, before you know anything happened. Honeywords flip this: instead of storing one password hash per user, you store k hashed candidates (1 real, k-1 decoys). If an attacker cracks your database and tries to log in with a stolen credential, there’s a high probability they’ll pick a decoy and get flagged immediately.
Why this package specifically?
The original honeyword scheme (Juels & Rivest, 2013) requires a separate “Honeychecker” service - operationally painful, which is likely one reason nobody deploys it. This package implements the Amnesia scheme (Wang & Reiter, USENIX '21) which eliminates that requirement entirely. No separate service, no persistent secret.
Install
pip install django-amnesia-honeywords
Quick setup
INSTALLED_APPS += [‘django_honeywords.apps.DjangoHoneywordsConfig’]
AUTHENTICATION_BACKENDS = [‘django_honeywords.backend.HoneywordsBackend’]
HONEYWORDS = {
‘AMNESIA_K’: 20,
‘ON_HONEYWORD’: ‘log’, # or ‘lock’ / ‘reset’
}
Run migrations, then initialize users at signup:
from django_honeywords.amnesia_service import amnesia_initialize_from_settings
amnesia_initialize_from_settings(user, raw_password)
On breach detection, a Django signal fires so you can plug in your own
alerting (email, Slack, SIEM, etc.).
Why I’m posting here
Part of my thesis is empirically studying why honeywords don’t get deployed in production despite a decade of research. Feedback from people who actually build Django apps is exactly what I need:
- Would you consider using something like this?
- What would stop you from deploying it in production?
- Did you hit any friction trying it out?
There’s a short anonymous survey in the README if you’re willing to share your experience — it directly feeds the research.
GitHub: GitHub - iliopdavid/django-amnesia-honeywords: Django authentication backend implementing Amnesia Honeywords for breach detection without a separate honeychecker. Stores k hashed candidates per user, flags logins using unmarked decoys, logs events, and emits signals for alerting. Integrates via settings + migrations; initialize users at signup/password change. · GitHub
PyPI: django-amnesia-honeywords · PyPI
Happy to answer any questions!