Researchers have developed a system to protect password databases, allowing hackers to believe they have cracked the file, only to be given fake credentials.
Researchers from Perdue University have developed a system to protect password databases, by allowing cybercriminals to believe they have cracked the file, only to be given fake login credentials.
Cybercriminals “will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords,” Mohammed H. Almeshekah, a doctoral student at the University told Computer World.
Typically when a hacker accesses a database of hashed passwords, they use brute-force techniques to backwards engineer possible passwords in order to find matches. Computer World explains that to reduce the workload involved in this time-consuming process, cybercriminals will often use programs to compare hashes of previously hacked passwords – a list that is constantly growing with the number of breaches that occur combined with people’s reluctance to create original, unique passwords.
This system, known as ErsatzPasswords, adds something to the hashing procedure to increase security. “Before a password is encrypted, it is run through a hardware-dependent function, such as one generated by a hardware security module,” explains Tech World. This step means that it can’t be restored without access to the module.
If a hacker starts achieving matches on their hashes, all of the passwords in the database will be decoys – something the cybercriminal won’t discover until they attempt to use them. Admins can even set up their site to alert them when one of these fake passwords is attempted, notifying them to a breach in their system.
Better still, they can also automatically create a dummy account for these fake logins, allowing admins to see exactly what the hackers are trying to do with their stolen passwords.
“We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications,” explained the researchers to Tech Week Europe.
ErsatzPasswords is outlined in a research paper that has been submitted to the 2015 Annual Computer Security Applications Conference.