Slashdot Mirror
The Best Way To Protect Real Passwords: Create Fake Ones
jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.
Why should a password manager like this know if it's generating a valid or invalid password. Surely all it needs to do is generate a salted hash based on the website name, a random value it generated when you installed the software and your entered password that protects the vault. Any salt entered will generate a result, but only the salt you are expected to remember will generate valid passwords.
You should get the advantage of strong lengthy random passwords for the websites you use, and some added value in that if your password file is compromised it remains challenging to brute force since each generated password needs to be tested. The disadvantage is that some sites may not place limits on the number of login attempts making brute forcing possible and then the overall security comes down to the strength of the salt you chose.
Possibly - but then the best way is just to let any password open the vault.
You cannot crack a password DB if every attempt to open it succeeds. If your means of validating the password you used is to read a stored password, close the vault, reopen it and re-read the password to ensure its still the same.. then you've just added one heap of time to your cracking attack.
Of course, a password vault could return the same set of fake passwords if you failed to supply the correct key (ie when you store a new password, the system generates a fake to store alongside it and returns the correct, or fake one depending on correct unlocking)
No need to re-gen when the vault has been opened incorrectly, just return the bad passwords and let the attacker try to use them. What's even worse than having to re-open your vault to check the passwords are the same, is having to take one of those passwords and use it to attempt login to a 3rd party site to validate whether they were the correct passwords or not!!
If you really want to be a bitch to attackers, you'll expose a few valid entries to honeypots (with passwords that work) so the attacker may think he's got the correct unlock :-)
The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.
Ah, naivete. Any time I feel like humans are smart, I just come here and read, and I'm cured. Guess what? The unreliable software was being used as a trial by potential future customers, who just decided it was a massive pile of shit and used a competitor's software. If they ever actually made money with the software, then they bought it. Their competitors thank them for their sophomoric DRM scheme which guaranteed that everyone thought their software was shit.
Moral of the story: DRM is stupid, an people who think tricky DRM which shits on potential future customers is cool are also stupid.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It's better to ask these questions now, before we do have things to hide, like ebanking info. It's been considered that chip-and-pin would eventually push the liability for lost funds onto the consumer on the assumption that the consumer was negligent in losing his PIN. Bitcoin is another example of a thing that if you lose it, it's gone. It's not mainstream now, but I have heard of the Canadian mint experimenting with encrypted digital copies of it's currency (to allow electronic transactions, but ostensibly to make sure the Canadian government is notified of transactions so they can take a tax cut). It's conceivable you would have little to no recourse in recovering these funds. It's better to have the tools before we need them.