The Best Way To Protect Real Passwords: Create Fake Ones

jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.

Difficult?

[qpqp]

This just adds an extra step to automate: take the password and try to login. It's not like people are manually trying passwords...

Re:Difficult?

No, this will solve the problem once and for all.

Re:Difficult?

[Chrisq]

This just adds an extra step to automate: take the password and try to login. It's not like people are manually trying passwords...

That actually makes things a lot more difficult. Many systems have password lockout, meaning that you would lose access before cracking the manager. Also even if one does not have lockout the delay of an internet call will slow down the attempt rate significantly

Re:Difficult?

[jd2112]

My passwords are on a post-it note stuck to my monitor.
Let's see them crack THAT!

Re:Difficult?

[Albanach]

at least until somebody reverse-engineers the password manager and disables the "give fake password upon decryption failure" logic

Why should a password manager like this know if it's generating a valid or invalid password. Surely all it needs to do is generate a salted hash based on the website name, a random value it generated when you installed the software and your entered password that protects the vault. Any salt entered will generate a result, but only the salt you are expected to remember will generate valid passwords.

You should get the advantage of strong lengthy random passwords for the websites you use, and some added value in that if your password file is compromised it remains challenging to brute force since each generated password needs to be tested. The disadvantage is that some sites may not place limits on the number of login attempts making brute forcing possible and then the overall security comes down to the strength of the salt you chose.

Re:Difficult?

[Instantlemming]

Yeah, ask TV5 how that works...

Re:Difficult?

[DarkOx]

Its a damn good way to get busted as well. IDS sensors and SEIM systems will pick up on a small number of hosts performing a large number of authentication attempts or a large number of hosts making attempts against the same account.

Either way you going to at least tip off the site operator. If your target is a free webmail host or something there might not be much they could/would do but a corporate security team will probably alert the account owner, and watch that account very carefully, will other folks contact the lawyers and the authorities to hunt your ass down.

Re:Difficult?

[GameboyRMH]

Oh, the fools! If only they'd built it with 2 layers of password spoofing! When will they learn!?!?

Re:Difficult?

[Paradise+Pete]

My passwords are on a post-it note stuck to my monitor.

Me too. But I've instructed my secretary to generate a fake set of post-it notes if someone comes into the office pretending to be me.

Re:Difficult?

[wvmarle]

Testing password against local file: about 1 microsecond.

Testing password by trying to login to Facebook, Slashdot, Yahoo, etc: about 1 second.

So if anything it's going to cut down your password test rates from a million a second to one a second. That's already a great hurdle for password crackers. This even before any rate-limiting by those websites kicks in.

Re:Difficult?

[Zalbik]

I have fake passwords on a post-it note stuck to my monitor.

My REAL passwords are on a post-it note stuck to the bottom of my keyboard.

You fools with your single layer of misdirection, thinking it will keep you safe!

They're missing the opportunity...

[Parker+Lewis]

We need a password managers manager!

Recurse

[Chrisq]

We need a password managers manager!

... It's password managers all the way down.

I use SSH keys everywhere.

I've always heard that SSH keys are better than passwords. So I use them even with websites that don't use SSH.

Here's what I do:

1) I generate a new keypair using ssh-keygen.
2) I put the public key in my GitHub repo, because the public key is meant to be shared.
3) I use the private key as the password when I sign up for a new account on a web site. I copy and paste it into the password input since it's too big for me to type in.
4) When I have to log in to the web site I copy and paste the private key into the password input since it's too big for me to type in.
5) I live my life knowing that I'm using the most secure password possible: an unbreakable SSH key.

Over think

[DarkOx]

Honestly this should be pretty simple. The default operating mode of a password manager should be generate a password from PRNG data.

Store the value encrypted with AES a key derived from a master password extended via PBKDF-2 or similar should be used for the cipher.

Next apply the necessary mixture bitwise rules applied bytewise to the 'clear text' to ensure the password will contain type-able characters and accommodate character restrictions. (Something like x = ((x % 126); x = x | 32 if x 32; for those of us using ascii and yes its not perfect and will produce some bias maybe a crypto expert could propose a better alternative ) Store which rules must be applied as well. That should not be an information leak as the attacker probably can research the target system and divine these requirements anyway.

That will mean most of your passwords are nearly random goblody gook. (Important). No matter what master password is used a key can be derived, the decipher operations and the rules can be applied the result will appear to be a legal password, but it will be incorrect. In the event you have stored a specific less random value it should 'decipher' as well but appear highly random given that is how all your other password appear to be it will not be a strong indicator the wrong key has been chosen either.

Re:Over think

[Kiwikwi]

The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.

But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.

So how does this work?

[aaaaaaargh!]

As the maker of a password manager, I'm curious how this is supposed to work. The article is a bit sparse on information.

Suppose I'm the attacker and after say, ten guesses the fake passwords are shown. So if I now save the passwords, will the original ones be overwritten? I guess not, since that would be rather inconvenient. So if not, will the fake passwords along with the master password and the original data be stored in the password database? Than the attacker can check the length of the original file after saving to determine whether he has obtained fake passwords. Or are they assuming some mysterious online password application where the user has no knowledge of where and how his passwords are stored? In that case, the application will be insecure anyway.

I suppose the right way to make this work is by saving fake passwords (or the space for them) along with the real ones all the time but encrypt them separately with the fake master password after it has been created on the fly. Thinking about it, I might add this as an option to my program.

Re:So how does this work?

[gbjbaanb]

Possibly - but then the best way is just to let any password open the vault.

You cannot crack a password DB if every attempt to open it succeeds. If your means of validating the password you used is to read a stored password, close the vault, reopen it and re-read the password to ensure its still the same.. then you've just added one heap of time to your cracking attack.

Of course, a password vault could return the same set of fake passwords if you failed to supply the correct key (ie when you store a new password, the system generates a fake to store alongside it and returns the correct, or fake one depending on correct unlocking)

No need to re-gen when the vault has been opened incorrectly, just return the bad passwords and let the attacker try to use them. What's even worse than having to re-open your vault to check the passwords are the same, is having to take one of those passwords and use it to attempt login to a 3rd party site to validate whether they were the correct passwords or not!!

If you really want to be a bitch to attackers, you'll expose a few valid entries to honeypots (with passwords that work) so the attacker may think he's got the correct unlock :-)

Re:So how does this work?

[Kiwikwi]

What you're proposing sounds like Kamouflage (PDF link from TFA), with only 1 decoy password set (Kamouflage suggest 10,000); and suffers from the problem of generating plausible fake master passwords without revealing anything about the real master password, as mentioned by the authors of NoCrack.

What the NoCrack authors try to achieve is a solution where every incorrect guess at the master password still provides a set of (incorrect but at least sometimes plausible) passwords. A bit like a one-time pad, which is the only provably secure encryption, because brute-forcing the key yields all the possible plain texts (both the correct and all the incorrect ones). Of course, the problem with the one-time pad is that the key length matches the plain text length, which would completely eliminate the benefit of a password manager. Additionally, as noted in TFA, authorized users might not like the idea that making a typo when entering the master password yields (seemingly) correct passwords. :-)

I'm not convinced the NoCrack authors have actually succeeded, as they claim, but can nevertheless recommend the NoCrack paper (PDF), since it discusses pros of cons of the approach and alternatives.

Seen something similar before

[140Mandak262Jamuna]

I know of one small software company that used some home grown licensing method. The software will check out licenses for features at run time. Some features would appear to be legitimate, something that is going to be released soon. But those features were never sold, and if the license manager approves those features the product knows the license manager is probably cracked. It won't report any "ha! you are using a cracked license manager", it would quietly chug along for a while and crash randomly. The pirates who crack software would think they have cracked it and sell it as warez. The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

P.S: company eventually got sold to a bigger player and the home grown license manager was retired for industry standard "FlexLm". Soon after, ALL software using Flex were cracked and sold on the warez sites. Pirates could have easily cracked the license manager of that small company, but it is too small to be worth the effort.

Moral of the story: Monoculture is bad, both for Irish potato farmers of the 18th century and license/password managers of the 21st century.

Re:Seen something similar before

[drinkypoo]

The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

Ah, naivete. Any time I feel like humans are smart, I just come here and read, and I'm cured. Guess what? The unreliable software was being used as a trial by potential future customers, who just decided it was a massive pile of shit and used a competitor's software. If they ever actually made money with the software, then they bought it. Their competitors thank them for their sophomoric DRM scheme which guaranteed that everyone thought their software was shit.

Moral of the story: DRM is stupid, an people who think tricky DRM which shits on potential future customers is cool are also stupid.

Re:Seen something similar before

[140Mandak262Jamuna]

That company was offering free trial with tech support and free training. Free university versions. Why would you pay real money to a hacker when you can legitimately get the same uncracked software with tech support? The company was small, user base was small some 2000 seats or so, but the price was not. It was selling the software at 50K$ a seat. Upgrades and support went at 15% of the list price, even if the first sale was discounted.

Re:Seen something similar before

[140Mandak262Jamuna]

Yes, English really mistreated the Irish during the famine. Shockingly population of Ireland has still not recovered to pre famine levels. But England was equal opportunity abusers. They mistreated colonies in east Indies, west indies, Americas, Africa etc. They ill treated their own poor. They dumped so much raw sewage in Thames, there was a period in Brit Parliament history known as The Great Stink. I think Benjamin Disraeli was the PM at that time. Even their Royalty was drinking the same shit from the Thames.

Re:Seen something similar before

[Zalbik]

. The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

More likely, I would think this would reduce the trust of the software and original software developer. After all, the software appears to be working, other than the "bugs". Most users aren't sophisticated enough to think "maybe that shady warez site did something that affected the original software!", they'll just think the original software is crap. Especially when they go online and see complaints for exactly the same bugs from other (unbeknownst to them) warez users.

This seems like a really bad idea. I would suggest to have it work for a while (say 6 months), then pop up a message indicating that this is illegally copied software. Long enough that the warez hacker doesn't realize, but not so long that they get full use of the product.

Deception

[Dan+East]

Deception is a valid form of security, similar to obfuscation. It should not be relied upon, but it is merely another layer. In the early 90s me and some buddies ran a multi-node BBS. One of the admins used the same password on another BBS, and someone was able to log into our system using his admin account. So to prevent that from ever happening again, I wrote a script that, for the three site admins, would also ask for their birthdate every time they logged in. If an incorrect date was entered a single time, the account would be locked. Thing is, it wasn't our birthdates that we had to enter, but just another very short password that we could enter really easily. So an attacker, if they got to that point again (obtained the password), would give it their best guess (or perhaps even research to find) the admin's birthdate. If any date was entered at all (containing two slashes or hyphens) the account was immediately locked, because the expected password was just a couple letters is all, and anyone entering an actual date was not an admin.

Re:Paranoia

[rhsanborn]

It's better to ask these questions now, before we do have things to hide, like ebanking info. It's been considered that chip-and-pin would eventually push the liability for lost funds onto the consumer on the assumption that the consumer was negligent in losing his PIN. Bitcoin is another example of a thing that if you lose it, it's gone. It's not mainstream now, but I have heard of the Canadian mint experimenting with encrypted digital copies of it's currency (to allow electronic transactions, but ostensibly to make sure the Canadian government is notified of transactions so they can take a tax cut). It's conceivable you would have little to no recourse in recovering these funds. It's better to have the tools before we need them.

Re:Unnecessary

[ledow]

When I was a child:
My parents used to know the phone numbers of every family member off by heart.

When I was a teenager:
I could recite pi to hundreds of decimals places after creating a program that ran on an Amstrad PCW9256 to calculate it (I had to check the answer!), and I still can just from memory. I memorised an entire Shakespeare sonnet just because I needed to for a drama production. I still know it - word-for-word - to this day.

Since then:
I memorise and use dozens of passwords every year. I have separate "levels" so all the really secure stuff with my bank is one set of passwords and all the dross forums I frequent are another. Even if I forget WHICH password it is from the set, I can get it within a couple of goes because I have them all in my head and know what information the site contains about me and, thus, what "level" of password is required.

I unconsciously pick up other people's passwords when they type them in front of me (and I have to ask them not to).

So I have a great memory? No. My memory is atrocious. I forget to phone everyone, I forget what I was doing several times EVERY single day. My girlfriend honestly thinks I have Alzheimer's because I forget so much throughout the day and she knows I'm not just using it as an excuse. I can't learn her native language as my brain can't hold enough of her language to cope.

If I can memorise a handful of passwords, and the average person only needs 5-10 passwords for EVERYTHING altogether, then there's really no excuse. Hell, most of my passwords are muscle-memory and I have to imagine a keyboard to tell you what they actually are.

We all have the capacity to memorise enough information that a password is not worthy of special measures and software to hold it. It's just that we don't bother to do so, whereas we used to (for phone numbers etc.)

+1 Funny

[matthias.loeffel]

I wish i had mod points left :-)

Re:Security by obscurity = Camouflage

[ledow]

If someone has access to your password management software, and the ability to test out passwords on it and get "the other" passwords back (real or not), then it's a fraction of a portion of a miniscule slice of a second to test whether that password actually DOES anything.

At worst, it'll make it slightly easier to trigger password attempts logins. But at best, something is still brute-forcing your password-management that holds every password you have.

Camouflage works in real life. It doesn't work against computers that are capable of billions of operations a second and can see if there's something under the camouflage within a microsecond.

If anything, just analysing the response pattern of "give the real password" versus "make up some rubbish to feed this spammer" is enough to tell you stuff about the system as a side-channel attack.

Camouflage works by some forms of secrecy only - someone doesn't know you are there. It does not work by there being a hundred camouflaged tank-like things out on the battlefield, 99 of them made of wood, and advertising that fact. Because when you fire the first shot, they know which one is real.

Poor analogies are the worst thing since unsliced bread.