pam_honeycreds.so is a linux Pluggable Authentications Module that watches for certain passwords being used in login attempts.
pam_honeycreds.so is made available under the Gnu Public License version 3, and comes with no warranties or guarentees.
Simply monitoring wrong passwords generates a lot of noise, as everyone mistypes their password from time to time. Instead, pam_honeycreds allows a system administrator to build lists of 'fake' passwords that can be left in places where an attacker might find them and use them to spread to other systems. Alternatively lists of 'most common passwords' can be used to detect anyone employing those passwords in a password-guessing attempt. Passwords can be stored as salted sha256 hashes, so 'real' passwords can be watched for on internet-facing machines, allowing an admin to detect if a password of theirs has appeared in a brute-force password list. Finally, pam_honeycreds can log 'wrong' passwords (it will never log a password that it finds in a password list), allowing an admin to build up a list of what passwords are being used by bruteforcers.