The best way to protect passwords may be creating fake ones

A research project, NoCrack, creates plausible decoy password vaults to confuse attackers

Password managers are a great way to supply random, unique passwords to a high number of websites. But most still have an Achilles' heel: Usually, a single master password unlocks the entire vault.

But a group of researchers has developed a type of password manager that creates decoy password vaults if a wrong master password is supplied.

A paper on the experimental software, called NoCrack, will be presented on May 19 at the IEEE Symposium on Security and Privacy in San Jose, California.

NoCrack is intended to make it much more time-consuming and difficult for attackers to figure out if they've hit pay dirt.

"As an attacker, you have no idea which vault is the real one," said Rahul Chatterjee, a master's student at the University of Wisconsin in Madison, and co-author of the paper. "He is left with no other option but to try the passwords on websites."

One of the problems with password managers is that they store all of their passwords in an encrypted file. That file -- if stolen from a victim's computer -- can then be subjected to so-called brute force attacks, in which hundreds of thousands of passwords are tried in quick succession.

If an incorrect password is entered, it's easy for an attacker to know it's wrong. The file that is generated is junk, Chatterjee said, and the attacker doesn't have to bother trying the credentials at an online web service.

NoCrack generates a plausible-looking password vault for every wrong guess, an unlimited number of decoys. The only way to figure out if the credentials are accurate is to try them online.

That approach "is costly and slow," he said.

Since most online services limit the number of password guesses, attackers wouldn't get many chances to ferret out the decoy vaults, Chatterjee said.

NoCrack isn't the first attempt to try this approach. Another system, called Kamouflage, is similar, but Chatterjee said his team found a weakness in how it generates decoy master passwords.

Kamouflage's decoy master passwords are based on the real master password. Studying the decoy passwords actually helps an attacker learn the structure of the real password, allowing the true one to be more easily discovered. The NoCrack team looked to create better decoy vaults.

To do that, NoCrack uses natural language encoding (NLE) algorithms, which ironically have also been used by people trying to crack passwords. NLE algorithms decode a uniformly selected bit string and generate a fresh sample of natural language text, according to the paper.

The researchers found that using NLE made NoCrack resistant to simple machine-learning attacks aimed at sifting the real vault from the fake ones.

There is, however, one large problem: What if a person mistypes a password? In that scenario, a fake vault is generated, and a user is locked out of his or her accounts.

Chatterjee said they're working on solutions. One possible fix is to create a hash of the master password that is linked to an image that is shown when the password is entered. The authorized user should recognize when the wrong image is displayed, but an attacker would not. Another possibility would be to auto-correct the password if it is just slightly off, he said.

There are no plans as of yet to commercialize NoCrack, Chatterjee said. The paper was also co-authored by Joseph Bonneau, Ari Juels and Thomas Ristenpart.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags no companysecurityAccess control and authentication

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?