NoCrack makes passwords safer with 'trap' fake vault

Using management tools is the best way to generate random passwords and is highly secure for logging in to many different websites. However, the problem is that password management tools still need a master password to decrypt, access the data of the vault or safe zone containing all your passwords.

The Google App Market almost became a spyware "drive"

In case the computer is lost or stolen, the bad guys can detect the master password via Brute Force method. In theory, if there is enough time or a sufficiently strong configuration, this type of attack can break most of today's encryption algorithms. This is the simplest but most difficult attack method by trying all the possible passwords one by one until you find the correct one.

To overcome this weakness, a team of researchers demonstrated a new management tool called NoCrack at the IEEE Security and Security Conference that took place in San Jose, California, USA on May 19. . Accordingly, the self-defense mechanism of this tool is to create fake vault in case of entering the wrong master password, making the attacker take time and more difficult. Rahul Chatterjee, co-author of the shared project.

NoCrack will create a fake vault that looks trustworthy and the number of ' decoys ' is unlimited corresponding to each wrong login. The attacker cannot know the true vault, he will have no choice but to try all the passwords collected on the website. Because most websites limit the number of attempts to enter a password, there are not many opportunities to identify fake and real vault, Chatterjee added.

NoCrack is not the first tool to adopt this mechanism. Another tool called Kamouflage also takes a similar approach, but according to Chatterjee, his team found a weakness in the mechanism of creating 'traps' based on master passwords.

Kamouflage creates fake passwords based on true master passwords and an attacker can know the true password if he analyzes the fake password structure carefully. Therefore the risk of detecting passwords is very high and the NoCrack development team believes that creating fake vault will distract you better.

To do that, NoCrack uses a natural language encoding (NLE ) algorithm. Ironically, this is also the algorithm that many users use to unlock passwords. The NLE algorithm decodes a selected bit sequence uniformly and creates a new code used as a 'trap'. The team also confirmed NLE helps NoCrack to be immune to automated analyzes to screen real and fake vault.

However, a big problem is that if the user accidentally entered the wrong password, why? In this case, a fake vault is automatically set up and access to your own account is also blocked. Chatterjee said the group is trying to solve this problem. The possible solution is to use the hash function of the master password associated with an image to display when entering the password. Authenticated users will recognize the wrong image while others do not. Another solution is to add automatic password correction ( auto correction) if the difference is very small when logging in.

Currently, NoCrack is still in the final stage and there is no plan to commercialize products yet.