NoCrack makes passwords safer with 'trap' fake vault
Using management tools is the best way to generate random passwords and is highly secure for logging in to many different websites. However, the problem is that password management tools still need a master password to decrypt, access the data of the vault or safe zone containing all your passwords.
The Google App Market almost became a spyware "drive"
In case the computer is lost or stolen, the bad guys can detect the master password via Brute Force method. In theory, if there is enough time or a sufficiently strong configuration, this type of attack can break most of today's encryption algorithms. This is the simplest but most difficult attack method by trying all the possible passwords one by one until you find the correct one.
To overcome this weakness, a team of researchers demonstrated a new management tool called NoCrack at the IEEE Security and Security Conference that took place in San Jose, California, USA on May 19. . Accordingly, the self-defense mechanism of this tool is to create fake vault in case of entering the wrong master password, making the attacker take time and more difficult. Rahul Chatterjee, co-author of the shared project.
NoCrack will create a fake vault that looks trustworthy and the number of ' decoys ' is unlimited corresponding to each wrong login. The attacker cannot know the true vault, he will have no choice but to try all the passwords collected on the website. Because most websites limit the number of attempts to enter a password, there are not many opportunities to identify fake and real vault, Chatterjee added.
NoCrack is not the first tool to adopt this mechanism. Another tool called Kamouflage also takes a similar approach, but according to Chatterjee, his team found a weakness in the mechanism of creating 'traps' based on master passwords.
Kamouflage creates fake passwords based on true master passwords and an attacker can know the true password if he analyzes the fake password structure carefully. Therefore the risk of detecting passwords is very high and the NoCrack development team believes that creating fake vault will distract you better.
To do that, NoCrack uses a natural language encoding (NLE ) algorithm. Ironically, this is also the algorithm that many users use to unlock passwords. The NLE algorithm decodes a selected bit sequence uniformly and creates a new code used as a 'trap'. The team also confirmed NLE helps NoCrack to be immune to automated analyzes to screen real and fake vault.
However, a big problem is that if the user accidentally entered the wrong password, why? In this case, a fake vault is automatically set up and access to your own account is also blocked. Chatterjee said the group is trying to solve this problem. The possible solution is to use the hash function of the master password associated with an image to display when entering the password. Authenticated users will recognize the wrong image while others do not. Another solution is to add automatic password correction ( auto correction) if the difference is very small when logging in.
Currently, NoCrack is still in the final stage and there is no plan to commercialize products yet.
You should read it
- Learn about Brute Force attack
- Apple denies that iPhone can be brute force to open passwords easily
- Security experts found a way to break iPhone passwords on all versions without worrying about locking or deleting data
- 11 security tips for WordPress blogs
- Quantum encryption - Future security technology
- 10 simple steps to enhance your online account security and your computer
- Hacker cracked a password of 16 characters in less than 60 minutes
- Learn about WPA3, the latest WiFi security standard today
- What is Credential stuffing? What is the difference between Credential stuffing and Brute Force?
- What is data encryption? Things to know about data encryption
- Security, anti-eavesdropping video with Video Padlock
- Symposium on IBM Security and Security 2011
Maybe you are interested
4 Mistakes to Avoid When Setting Up a Password Manager
Are complex passwords 'out of date'?
5 Reasons People Prefer Password Login Over Email
If you're still using this insecure password method, it's time to stop!
This is the type of password that takes 34,000 years to crack
Should I choose a free or paid password manager?