Password managers are a great way to supply random, unique passwords to a high number of websites. But most still have an Achilles’ heel: Usually, a single master password unlocks the entire vault. But a group of researchers has developed a type of password manager that creates decoy password vaults if a wrong master password is supplied.
A paper on the experimental software, called NoCrack, will be presented on May 19 at the IEEE Symposium on Security and Privacy in San Jose, California.
NoCrack is intended to make it much more time-consuming and difficult for attackers to figure out if they’ve hit pay dirt.
“As an attacker, you have no idea which vault is the real one,” said Rahul Chatterjee, a master’s student at the University of Wisconsin in Madison, and co-author of the paper. “He is left with no other option but to try the passwords on websites.”
One of the problems with password managers is that they store all of their passwords in an encrypted file. That file — if stolen from a victim’s computer — can then be subjected to so-called brute force attacks, in which hundreds of thousands of passwords are tried in quick succession.
If an incorrect password is entered, it’s easy for an attacker to know it’s wrong. The file that is generated is junk, Chatterjee said, and the attacker doesn’t have to bother trying the credentials at an online web service.
NoCrack generates a plausible-looking password vault for every wrong guess, an unlimited number of decoys. The only way to figure out if the credentials are accurate is to try them online. That approach “is costly and slow,” he said.
Since most online services limit the number of password guesses, attackers wouldn’t get many chances to ferret out the decoy vaults, Chatterjee said.
NoCrack isn’t the first attempt to try this approach. Another system, called Kamouflage, is similar, but Chatterjee said his team found a weakness in how it generates decoy master passwords. So lets hope for the best from NoCrack this time.