Researchers have created a system that bolsters data security by fooling hackers with fake cracked passwords.
The system, dubbed ErsatzPasswords, is detailed in a research paper submitted to the 2015 Annual Computer Security Applications Conference, due to take place in Los Angeles in December.
The system is designed to trick hackers who want to to “crack” passwords, according to one of the paper’s authors, Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.
Cyber criminals “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Almeshekah explained.
The researchers said: “We utilise a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.”
When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords they will get are the ersatz passwords – the ‘fake passwords’.
When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system, highlighting that someone attempted to crack the password file. The system can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the person is trying to hack, Almeshekah said.
Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function.
How much do you know about hacking? Take our quiz to find out!
Do you know all there is to know about the world’s most infamous hackers! Find out with our quiz!
Are you an expert on Internet security? Try our quiz!
How much do you know about whistleblowers and data leakers? Take our quiz!
Try all our other quizzes here!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
A while ago, I faced a replica of the Hotmail (live.com) login page. But I quickly noticed that it was a fake, as the address bar at the top did not have the encryption button. So, to teach this "Douche-Bag" a lesson, instead of my real password I typed in "F*ck_You_B*tch.