To thwart password theft, the devil is in the decoys

To thwart password theft, the devil is in the decoys

For attackers, trying to crack a password manager may be hard, but the payoffs can be big.    

Now, however, researchers have developed a password manager that creates decoy password vaults if an incorrect master password is used.

If you’re an attacker that entered the wrong password “you have no idea which vault is the real one,” Rahul Chatterjee , a co-author of a paper on the software, told TechWorld. This would force the attacker to use the passwords on websites to confirm they’re real.

NoCrack, as it’s called, is intended to make a hacker spend hours working to discover if they’ve successfully breached their intended network.

With traditional password managers, when an incorrect password is entered it’s easy for the attacker to know that it’s wrong. The file that is generated is junk, Chatterjee told TechWorld, and the attacker does not have to bother trying the credentials at an online web service.

NoCrack generates a plausible-looking password vault for every wrong guess.  So once a brute-force attack succeeded, there could be thousands of decoy vaults created, and indistinguishable from the real one. The only way to figure out which credentials are accurate would be to try them online.

There are still some kinks to work out, however. The group has not yet figured out a way to deal with a person who has the correct password, but misspells it -- generating a fake vault and locking the user out of his accounts.

And password vaults, of course, are just one approach to managing secure logins.  As GCN has reported previously, biometrics, gestures, two-factor authentication, typing rhythm and ridiculously long passphrases all have potential.  But none have yet been able to solve the fundamentally human problem that, as Defense Department Deputy CIO for Information Enterprise David Cotton put it recently, sloppy cyber hygiene "is just eating our shorts."

According to Chatterjee, there are no plans to commercialize NoCrack at this time.

About the Author

Derek Major is a former reporter for GCN.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected