The best way to protect passwords may be to create fake passwords.

The best way to protect passwords may be to create fake passwords.

If you need to provide random and independent passwords to a large number of websites, password management software is a good choice. However, the fatal weakness of this method is that you only need a master password to enable the entire password library.

However, a group of researchers have developed a password management software that displays a bait password library if the user inputs an incorrect master password.

The software, called NoCrack, is designed to make it more difficult and time-consuming for hackers to discover that their attacks fail.

As an attacker, you do not know which password library is true. The attacker has no other options, but only tries to make a Password error on the website ."

A major problem with password management software is that such software will store all passwords in an encrypted file. If attackers steal this file from the victim's computer, they can use it for brute force cracking. In a brute-force cracking attack, attackers can continuously try hundreds of thousands of passwords.

If a wrong password is entered, attackers can easily find it wrong. The generated file is spam, so attackers will not try and error the password through the online website service. NoCrack generates a seemingly reasonable password library for every failed attempt, and the bait limit is endless. The only way to confirm that the logon information is correct is to try it one by one on the website.

This method is "expensive and slow ".

Because most online services limit the number of password guesses, attackers will not be given many opportunities to discover the truth.

NoCrack is not the first software to try in this field. Another software called Kamouflage is similar to this one. However, NoCrack designers say that Kamouflage has defects in generating master key bait.

The master key of Kamouflage is generated based on the actual version. By studying the bait master key, attackers can understand the structure of the real master key and then discover them. The NoCrack team is doing better in this regard.

NoCrack uses the NLE algorithm, which is also used in password cracking applications. According to the description in this paper, The NLE algorithm will encode bits to obtain the text in natural language. Even if the input is the same, the output will be different each time.

Researchers found that If attackers use simple machine learning tools to guess the real key from the bait key, NLE will block such attacks.

However, there is another huge problem: what if the user misspelled the password? In this situation, the software will also generate a bait keystore, and users cannot access their own accounts.

The NoCrack team said they were working on the solution. A feasible policy is to create a hash value for the CMK and link it to an image displayed when you enter the password. When a legitimate user encounters an incorrect image, he or she will be aware of the problem, and the attacker will not. Another policy is to automatically correct the password if it only slightly deviates from the correct version.

NoCrack has no commercialization plan yet.

Address: http://www.aqniu.com/tools/7867.html