Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Best Way To Protect Real Passwords: Create Fake Ones

Posted by samzenpus on from the that-was-my-fake-wallet dept.

jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.

3 of 152 comments (clear)

  1. Over think by DarkOx · · Score: 3, Informative

    Honestly this should be pretty simple. The default operating mode of a password manager should be generate a password from PRNG data.

    Store the value encrypted with AES a key derived from a master password extended via PBKDF-2 or similar should be used for the cipher.

    Next apply the necessary mixture bitwise rules applied bytewise to the 'clear text' to ensure the password will contain type-able characters and accommodate character restrictions. (Something like x = ((x % 126); x = x | 32 if x 32; for those of us using ascii and yes its not perfect and will produce some bias maybe a crypto expert could propose a better alternative ) Store which rules must be applied as well. That should not be an information leak as the attacker probably can research the target system and divine these requirements anyway.

    That will mean most of your passwords are nearly random goblody gook. (Important). No matter what master password is used a key can be derived, the decipher operations and the rules can be applied the result will appear to be a legal password, but it will be incorrect. In the event you have stored a specific less random value it should 'decipher' as well but appear highly random given that is how all your other password appear to be it will not be a strong indicator the wrong key has been chosen either.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    1. Re:Over think by Kiwikwi · · Score: 4, Informative

      The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

      Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.

      But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.

  2. Re:Difficult? by wvmarle · · Score: 3, Informative

    Testing password against local file: about 1 microsecond.

    Testing password by trying to login to Facebook, Slashdot, Yahoo, etc: about 1 second.

    So if anything it's going to cut down your password test rates from a million a second to one a second. That's already a great hurdle for password crackers. This even before any rate-limiting by those websites kicks in.