Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Best Way To Protect Real Passwords: Create Fake Ones

Posted by samzenpus on Monday May 11, 2015 @11:28PM from the that-was-my-fake-wallet dept.

jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.

1 of 152 comments (clear)

Min score:

Reason:

Sort:

Re:Over think by Kiwikwi · 2015-05-12 00:42 · Score: 4, Informative

The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.
But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.