Security System Fools Crackers With Fake Passwords

A new challenge for hackers? A team of researchers has developed a new security system that makes it much harder for hackers to obtain usable passwords from a leaked database. The system "ErsatzPasswords" is aimed at throwing off hackers who use methods to "crack" passwords.

HOW IT WORKS

In order to understand the exact working of "ErsatzPasswords", you have to know the password storing mechanisms and the hacking techniques to crack passwords. The passwords are typically encrypted using an algorithm (hashing) when stored by organizations.

These hashes, more precisely salted hashes, are safe to store in a database than plain text passwords. Because, it is difficult (not impossible)  to retrieve a plain-text password from a hash. To do that, the hackers uses brute-force techniques, which involve getting large lists of passwords from different data breaches whose hashes have already been calculated and computing the hashes to see if a match is found.

Since the ErsatzPasswords utilises a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server before the password encryption, the hacker will not be able to restore the password to its accurate plain text without access to the module.

Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana said, "When an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatz passwords — the fake passwords."

"When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system that someone attempted to crack the password file."

It can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the person is trying to hack.