To thwart password theft, the devil is in the decoys

To thwart password theft, the devil is in the decoys

For attackers, trying to crack a password manager may be hard, but the payoffs can be big.    

Now, however, researchers have developed a password manager that creates decoy password vaults if an incorrect master password is used.

If you’re an attacker that entered the wrong password “you have no idea which vault is the real one,” Rahul Chatterjee , a co-author of a paper on the software, told TechWorld. This would force the attacker to use the passwords on websites to confirm they’re real.

NoCrack, as it’s called, is intended to make a hacker spend hours working to discover if they’ve successfully breached their intended network.

With traditional password managers, when an incorrect password is entered it’s easy for the attacker to know that it’s wrong. The file that is generated is junk, Chatterjee told TechWorld, and the attacker does not have to bother trying the credentials at an online web service.

NoCrack generates a plausible-looking password vault for every wrong guess.  So once a brute-force attack succeeded, there could be thousands of decoy vaults created, and indistinguishable from the real one. The only way to figure out which credentials are accurate would be to try them online.

There are still some kinks to work out, however. The group has not yet figured out a way to deal with a person who has the correct password, but misspells it -- generating a fake vault and locking the user out of his accounts.

And password vaults, of course, are just one approach to managing secure logins.  As GCN has reported previously, biometrics, gestures, two-factor authentication, typing rhythm and ridiculously long passphrases all have potential.  But none have yet been able to solve the fundamentally human problem that, as Defense Department Deputy CIO for Information Enterprise David Cotton put it recently, sloppy cyber hygiene "is just eating our shorts."

According to Chatterjee, there are no plans to commercialize NoCrack at this time.

About the Author

Derek Major is a former reporter for GCN.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected