Keeping passwords safe from cracking
A group of researchers from Purdue University in Indiana have come up with an effective and easy-to-implement solution for protecting passwords from attackers.
These days, passwords are rarely stored in plain-text format – they are usually hashed and (less often) salted so that attackers might find it impossible or simply too time-consuming to try and crack them (by brute-forcing them, for example).
Also, as users repeatedly use the same short, weak and easy-to-guess passwords, attackers can use password-cracking software that calls on lists of password hashes that have already been calculated for passwords that have been leaked in the past.
The researchers’ aim is to make cracking of stored password hashes both detectable and insuperable.
“We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server,” they explained, adding that the scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.
“When using the scheme the structure of the hashed passwords file […] will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ErsatzPasswords — the ‘fake passwords’.”
Setting up an alarm that will be triggered by login attempts using these ErsatzPasswords will also make organizations aware of the fact that the password file has somehow been compromised, and that someone is trying to access a user account.
More details about ErsatzPasswords can be found in the following paper.