Researchers have created a system that bolsters data security by fooling hackers with fake cracked passwords.
The system, dubbed ErsatzPasswords, is detailed in a research paper submitted to the 2015 Annual Computer Security Applications Conference, due to take place in Los Angeles in December.
The system is designed to trick hackers who want to to “crack” passwords, according to one of the paper’s authors, Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.
Cyber criminals “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Almeshekah explained.
The researchers said: “We utilise a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.”
When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords they will get are the ersatz passwords – the ‘fake passwords’.
When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system, highlighting that someone attempted to crack the password file. The system can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the person is trying to hack, Almeshekah said.
Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function.
How much do you know about hacking? Take our quiz to find out!
Do you know all there is to know about the world’s most infamous hackers! Find out with our quiz!
Are you an expert on Internet security? Try our quiz!
How much do you know about whistleblowers and data leakers? Take our quiz!
Try all our other quizzes here!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
A while ago, I faced a replica of the Hotmail (live.com) login page. But I quickly noticed that it was a fake, as the address bar at the top did not have the encryption button. So, to teach this "Douche-Bag" a lesson, instead of my real password I typed in "F*ck_You_B*tch.