Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Best Way To Protect Real Passwords: Create Fake Ones

Posted by samzenpus on from the that-was-my-fake-wallet dept.

jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.

13 of 152 comments (clear)

  1. Re:Difficult? by Anonymous Coward · · Score: 5, Funny

    No, this will solve the problem once and for all.

  2. They're missing the opportunity... by Parker+Lewis · · Score: 5, Funny

    We need a password managers manager!

  3. Re:Difficult? by Chrisq · · Score: 4, Interesting

    This just adds an extra step to automate: take the password and try to login. It's not like people are manually trying passwords...

    That actually makes things a lot more difficult. Many systems have password lockout, meaning that you would lose access before cracking the manager. Also even if one does not have lockout the delay of an internet call will slow down the attempt rate significantly

  4. Recurse by Chrisq · · Score: 4, Funny

    We need a password managers manager!

    ... It's password managers all the way down.

  5. Re:Difficult? by jd2112 · · Score: 4, Funny

    My passwords are on a post-it note stuck to my monitor.
    Let's see them crack THAT!

    --
    Any insufficiently advanced magic is indistinguishable from technology.
  6. Seen something similar before by 140Mandak262Jamuna · · Score: 4, Interesting
    I know of one small software company that used some home grown licensing method. The software will check out licenses for features at run time. Some features would appear to be legitimate, something that is going to be released soon. But those features were never sold, and if the license manager approves those features the product knows the license manager is probably cracked. It won't report any "ha! you are using a cracked license manager", it would quietly chug along for a while and crash randomly. The pirates who crack software would think they have cracked it and sell it as warez. The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

    P.S: company eventually got sold to a bigger player and the home grown license manager was retired for industry standard "FlexLm". Soon after, ALL software using Flex were cracked and sold on the warez sites. Pirates could have easily cracked the license manager of that small company, but it is too small to be worth the effort.

    Moral of the story: Monoculture is bad, both for Irish potato farmers of the 18th century and license/password managers of the 21st century.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Seen something similar before by drinkypoo · · Score: 5, Insightful

      The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

      Ah, naivete. Any time I feel like humans are smart, I just come here and read, and I'm cured. Guess what? The unreliable software was being used as a trial by potential future customers, who just decided it was a massive pile of shit and used a competitor's software. If they ever actually made money with the software, then they bought it. Their competitors thank them for their sophomoric DRM scheme which guaranteed that everyone thought their software was shit.

      Moral of the story: DRM is stupid, an people who think tricky DRM which shits on potential future customers is cool are also stupid.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:Difficult? by Albanach · · Score: 5, Insightful

    at least until somebody reverse-engineers the password manager and disables the "give fake password upon decryption failure" logic

    Why should a password manager like this know if it's generating a valid or invalid password. Surely all it needs to do is generate a salted hash based on the website name, a random value it generated when you installed the software and your entered password that protects the vault. Any salt entered will generate a result, but only the salt you are expected to remember will generate valid passwords.

    You should get the advantage of strong lengthy random passwords for the websites you use, and some added value in that if your password file is compromised it remains challenging to brute force since each generated password needs to be tested. The disadvantage is that some sites may not place limits on the number of login attempts making brute forcing possible and then the overall security comes down to the strength of the salt you chose.

  8. Re:Difficult? by Instantlemming · · Score: 5, Funny

    Yeah, ask TV5 how that works...

  9. Re:So how does this work? by gbjbaanb · · Score: 4, Insightful

    Possibly - but then the best way is just to let any password open the vault.

    You cannot crack a password DB if every attempt to open it succeeds. If your means of validating the password you used is to read a stored password, close the vault, reopen it and re-read the password to ensure its still the same.. then you've just added one heap of time to your cracking attack.

    Of course, a password vault could return the same set of fake passwords if you failed to supply the correct key (ie when you store a new password, the system generates a fake to store alongside it and returns the correct, or fake one depending on correct unlocking)

    No need to re-gen when the vault has been opened incorrectly, just return the bad passwords and let the attacker try to use them. What's even worse than having to re-open your vault to check the passwords are the same, is having to take one of those passwords and use it to attempt login to a 3rd party site to validate whether they were the correct passwords or not!!

    If you really want to be a bitch to attackers, you'll expose a few valid entries to honeypots (with passwords that work) so the attacker may think he's got the correct unlock :-)

  10. Re:Over think by Kiwikwi · · Score: 4, Informative

    The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

    Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.

    But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.

  11. Re:Difficult? by Paradise+Pete · · Score: 5, Funny

    My passwords are on a post-it note stuck to my monitor.

    Me too. But I've instructed my secretary to generate a fake set of post-it notes if someone comes into the office pretending to be me.

  12. Re:Difficult? by Zalbik · · Score: 4, Funny

    I have fake passwords on a post-it note stuck to my monitor.

    My REAL passwords are on a post-it note stuck to the bottom of my keyboard.

    You fools with your single layer of misdirection, thinking it will keep you safe!