Sign In

Communications of the ACM

ACM TechNews

Researcher Invents Fake Password Technology to Confuse Hackers

View as: Print Mobile App Share:
ErsatzPasswords adds an additional step to traditional encryption methods.

The ErsatzPasswords security system runs a password through a hardward-dependent function before it is encrypted, for extra security.

Credit: TechWorld

Purdue University Information Assurance and Security group researchers have developed ErsatzPasswords, a security system that makes it much harder for hackers to obtain usable passwords from a leaked database. Hackers "will still be able to crack that file, however the passwords they will get back are fake passwords or decoy passwords," says Purdue doctoral student Mohammed H. Almeshekah.

ErsatzPasswords adds an additional step to traditional encryption methods. With the new system, a password is run through a hardware-dependent function, such as one generated by a hardware security module, before it is encrypted. Almeshekah says the extra step adds a characteristic to a password that makes it impossible to restore it to its accurate plain text without access to the module.

In addition, ErsatzPasswords can be configured to alert a network administrator when a fake password is entered, or to automatically create a fake account when a fake password is entered.

Since only one password file needs to be stored, "even if we want to verify the real password, we don't need a different file," Almeshekah says.

From Techworld
View Full Article


Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account