Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Best Way To Protect Real Passwords: Create Fake Ones

Posted by samzenpus on from the that-was-my-fake-wallet dept.

jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.

6 of 152 comments (clear)

  1. Difficult? by qpqp · · Score: 3, Interesting

    This just adds an extra step to automate: take the password and try to login. It's not like people are manually trying passwords...

    1. Re:Difficult? by Chrisq · · Score: 4, Interesting

      This just adds an extra step to automate: take the password and try to login. It's not like people are manually trying passwords...

      That actually makes things a lot more difficult. Many systems have password lockout, meaning that you would lose access before cracking the manager. Also even if one does not have lockout the delay of an internet call will slow down the attempt rate significantly

    2. Re:Difficult? by DarkOx · · Score: 3, Interesting

      Its a damn good way to get busted as well. IDS sensors and SEIM systems will pick up on a small number of hosts performing a large number of authentication attempts or a large number of hosts making attempts against the same account.

      Either way you going to at least tip off the site operator. If your target is a free webmail host or something there might not be much they could/would do but a corporate security team will probably alert the account owner, and watch that account very carefully, will other folks contact the lawyers and the authorities to hunt your ass down.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. Seen something similar before by 140Mandak262Jamuna · · Score: 4, Interesting
    I know of one small software company that used some home grown licensing method. The software will check out licenses for features at run time. Some features would appear to be legitimate, something that is going to be released soon. But those features were never sold, and if the license manager approves those features the product knows the license manager is probably cracked. It won't report any "ha! you are using a cracked license manager", it would quietly chug along for a while and crash randomly. The pirates who crack software would think they have cracked it and sell it as warez. The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

    P.S: company eventually got sold to a bigger player and the home grown license manager was retired for industry standard "FlexLm". Soon after, ALL software using Flex were cracked and sold on the warez sites. Pirates could have easily cracked the license manager of that small company, but it is too small to be worth the effort.

    Moral of the story: Monoculture is bad, both for Irish potato farmers of the 18th century and license/password managers of the 21st century.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Re:So how does this work? by Kiwikwi · · Score: 3, Interesting

    What you're proposing sounds like Kamouflage (PDF link from TFA), with only 1 decoy password set (Kamouflage suggest 10,000); and suffers from the problem of generating plausible fake master passwords without revealing anything about the real master password, as mentioned by the authors of NoCrack.

    What the NoCrack authors try to achieve is a solution where every incorrect guess at the master password still provides a set of (incorrect but at least sometimes plausible) passwords. A bit like a one-time pad, which is the only provably secure encryption, because brute-forcing the key yields all the possible plain texts (both the correct and all the incorrect ones). Of course, the problem with the one-time pad is that the key length matches the plain text length, which would completely eliminate the benefit of a password manager. Additionally, as noted in TFA, authorized users might not like the idea that making a typo when entering the master password yields (seemingly) correct passwords. :-)

    I'm not convinced the NoCrack authors have actually succeeded, as they claim, but can nevertheless recommend the NoCrack paper (PDF), since it discusses pros of cons of the approach and alternatives.

  4. Deception by Dan+East · · Score: 3, Interesting

    Deception is a valid form of security, similar to obfuscation. It should not be relied upon, but it is merely another layer. In the early 90s me and some buddies ran a multi-node BBS. One of the admins used the same password on another BBS, and someone was able to log into our system using his admin account. So to prevent that from ever happening again, I wrote a script that, for the three site admins, would also ask for their birthdate every time they logged in. If an incorrect date was entered a single time, the account would be locked. Thing is, it wasn't our birthdates that we had to enter, but just another very short password that we could enter really easily. So an attacker, if they got to that point again (obtained the password), would give it their best guess (or perhaps even research to find) the admin's birthdate. If any date was entered at all (containing two slashes or hyphens) the account was immediately locked, because the expected password was just a couple letters is all, and anyone entering an actual date was not an admin.

    --
    Better known as 318230.