To thwart password theft, the devil is in the decoys

To thwart password theft, the devil is in the decoys

For attackers, trying to crack a password manager may be hard, but the payoffs can be big.    

Now, however, researchers have developed a password manager that creates decoy password vaults if an incorrect master password is used.

If you’re an attacker that entered the wrong password “you have no idea which vault is the real one,” Rahul Chatterjee , a co-author of a paper on the software, told TechWorld. This would force the attacker to use the passwords on websites to confirm they’re real.

NoCrack, as it’s called, is intended to make a hacker spend hours working to discover if they’ve successfully breached their intended network.

With traditional password managers, when an incorrect password is entered it’s easy for the attacker to know that it’s wrong. The file that is generated is junk, Chatterjee told TechWorld, and the attacker does not have to bother trying the credentials at an online web service.

NoCrack generates a plausible-looking password vault for every wrong guess.  So once a brute-force attack succeeded, there could be thousands of decoy vaults created, and indistinguishable from the real one. The only way to figure out which credentials are accurate would be to try them online.

There are still some kinks to work out, however. The group has not yet figured out a way to deal with a person who has the correct password, but misspells it -- generating a fake vault and locking the user out of his accounts.

And password vaults, of course, are just one approach to managing secure logins.  As GCN has reported previously, biometrics, gestures, two-factor authentication, typing rhythm and ridiculously long passphrases all have potential.  But none have yet been able to solve the fundamentally human problem that, as Defense Department Deputy CIO for Information Enterprise David Cotton put it recently, sloppy cyber hygiene "is just eating our shorts."

According to Chatterjee, there are no plans to commercialize NoCrack at this time.

About the Author

Derek Major is a former reporter for GCN.

inside gcn

  • analytics (Wright Studio/

    3 data strategies to help crackdown on internal corruption

Reader Comments

Sat, May 30, 2015 Hitoshi Anatomi

Whether iris, face, fingerprint, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security. In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group