Security System Cons Hackers By Dishing Out Fake Passwords
The ErsatzPasswords system lets you know when an attempted hack takes place – and tells you what the attacker was trying to hack
Researchers have created a system that bolsters data security by fooling hackers with fake cracked passwords.
The system, dubbed ErsatzPasswords, is detailed in a research paper submitted to the 2015 Annual Computer Security Applications Conference, due to take place in Los Angeles in December.
Tricking hackers
The system is designed to trick hackers who want to to “crack” passwords, according to one of the paper’s authors, Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.
Cyber criminals “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Almeshekah explained.
Passwords are generally protected by ‘hashing’ – a one-way function in which a hashed value cannot be reversed to obtain the original password.
The researchers said: “We utilise a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.”
When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords they will get are the ersatz passwords – the ‘fake passwords’.
When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system, highlighting that someone attempted to crack the password file. The system can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the person is trying to hack, Almeshekah said.
Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function.
How much do you know about hacking? Take our quiz to find out!
Do you know all there is to know about the world’s most infamous hackers! Find out with our quiz!
Are you an expert on Internet security? Try our quiz!
How much do you know about whistleblowers and data leakers? Take our quiz!
Try all our other quizzes here!