Researchers have created a system that bolsters data security by fooling hackers with fake cracked passwords.
The system, dubbed ErsatzPasswords, is detailed in a research paper submitted to the 2015 Annual Computer Security Applications Conference, due to take place in Los Angeles in December.
The system is designed to trick hackers who want to to “crack” passwords, according to one of the paper’s authors, Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.
Cyber criminals “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Almeshekah explained.
The researchers said: “We utilise a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.”
When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords they will get are the ersatz passwords – the ‘fake passwords’.
When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system, highlighting that someone attempted to crack the password file. The system can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the person is trying to hack, Almeshekah said.
Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function.
How much do you know about hacking? Take our quiz to find out!
Do you know all there is to know about the world’s most infamous hackers! Find out with our quiz!
Are you an expert on Internet security? Try our quiz!
How much do you know about whistleblowers and data leakers? Take our quiz!
Try all our other quizzes here!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…
View Comments
A while ago, I faced a replica of the Hotmail (live.com) login page. But I quickly noticed that it was a fake, as the address bar at the top did not have the encryption button. So, to teach this "Douche-Bag" a lesson, instead of my real password I typed in "F*ck_You_B*tch.