Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Best Way To Protect Real Passwords: Create Fake Ones

Posted by samzenpus on from the that-was-my-fake-wallet dept.

jfruh writes: Many security-savvy users have a password manager that stores their randomly-generated passwords — but if that manager is cracked, the gig is up. Some security researchers are suggesting a technique to stop this: a password manager that offers up fake passwords when an attacker tries and fails to crack it, which makes the process of figuring out if you've broken in much more difficult.

6 of 152 comments (clear)

  1. Re:Difficult? by Anonymous Coward · · Score: 5, Funny

    No, this will solve the problem once and for all.

  2. They're missing the opportunity... by Parker+Lewis · · Score: 5, Funny

    We need a password managers manager!

  3. Re:Difficult? by Albanach · · Score: 5, Insightful

    at least until somebody reverse-engineers the password manager and disables the "give fake password upon decryption failure" logic

    Why should a password manager like this know if it's generating a valid or invalid password. Surely all it needs to do is generate a salted hash based on the website name, a random value it generated when you installed the software and your entered password that protects the vault. Any salt entered will generate a result, but only the salt you are expected to remember will generate valid passwords.

    You should get the advantage of strong lengthy random passwords for the websites you use, and some added value in that if your password file is compromised it remains challenging to brute force since each generated password needs to be tested. The disadvantage is that some sites may not place limits on the number of login attempts making brute forcing possible and then the overall security comes down to the strength of the salt you chose.

  4. Re:Difficult? by Instantlemming · · Score: 5, Funny

    Yeah, ask TV5 how that works...

  5. Re:Seen something similar before by drinkypoo · · Score: 5, Insightful

    The buyers will get some unreliable software, possibly reducing the "trust" on the warez hacker and sowing discord among the pirates and their customers.

    Ah, naivete. Any time I feel like humans are smart, I just come here and read, and I'm cured. Guess what? The unreliable software was being used as a trial by potential future customers, who just decided it was a massive pile of shit and used a competitor's software. If they ever actually made money with the software, then they bought it. Their competitors thank them for their sophomoric DRM scheme which guaranteed that everyone thought their software was shit.

    Moral of the story: DRM is stupid, an people who think tricky DRM which shits on potential future customers is cool are also stupid.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Re:Difficult? by Paradise+Pete · · Score: 5, Funny

    My passwords are on a post-it note stuck to my monitor.

    Me too. But I've instructed my secretary to generate a fake set of post-it notes if someone comes into the office pretending to be me.