Purdue University Information Assurance and Security group researchers have developed ErsatzPasswords, a security system that makes it much harder for hackers to obtain usable passwords from a leaked database. Hackers "will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords," says Purdue doctoral student Mohammed H. Almeshekah.
ErsatzPasswords adds an additional step to traditional encryption methods. With the new system, a password is run through a hardware-dependent function, such as one generated by a hardware security module, before it is encrypted. Almeshekah says the extra step adds a characteristic to a password that makes it impossible to restore it to its accurate plain text without access to the module.
In addition, ErsatzPasswords can be configured to alert a network administrator when a fake password is entered, or to automatically create a fake account when a fake password is entered.
Since only one password file needs to be stored, "even if we want to verify the real password, we don't need a different file," Almeshekah says.
View Full Article
Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA
No entries found