Security System Cons Hackers By Dishing Out Fake Passwords

Researchers have created a system that bolsters data security by fooling hackers with fake cracked passwords.

The system, dubbed ErsatzPasswords, is detailed in a research paper submitted to the 2015 Annual Computer Security Applications Conference, due to take place in Los Angeles in December.

Tricking hackers

The system is designed to trick hackers who want to to “crack” passwords, according to one of the paper’s authors, Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.

Cyber criminals “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Almeshekah explained.

Passwords are generally protected by ‘hashing’ – a one-way function in which a hashed value cannot be reversed to obtain the original password.

The researchers said: “We utilise a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.”

When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords they will get are the ersatz passwords – the ‘fake passwords’.

When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system, highlighting that someone attempted to crack the password file. The system can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the person is trying to hack, Almeshekah said.

Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function.

How much do you know about hacking? Take our quiz to find out!

Do you know all there is to know about the world’s most infamous hackers! Find out with our quiz!

Are you an expert on Internet security? Try our quiz!

How much do you know about whistleblowers and data leakers? Take our quiz!

Try all our other quizzes here!

Want all the best tech security news? Sign up for our FREE newsletter!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

View Comments

  • A while ago, I faced a replica of the Hotmail (live.com) login page. But I quickly noticed that it was a fake, as the address bar at the top did not have the encryption button. So, to teach this "Douche-Bag" a lesson, instead of my real password I typed in "F*ck_You_B*tch.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago