New Program Stings Hackers Trying to Steal Passwords

A new system gives hackers the run-around when trying to use stolen, usable passwords from a database leaked as a result of data breaches.

A new program called ErsatzPasswords may just prove to be the cure for the next PlayStation hack, or indeed any other breach that involves passwords being stolen and leaked.

ErsatzPasswords, the hacker bug.

The team of researchers, headed by Mohammed H. Almeshekah, currently doctoral student at Purdue University in Indiana said that the system is designed at ‘throwing off hackers’ who used methods to “crack” passwords. The system has been detailed in length in a research paper that is submitted at the Annual Computer Security Applications Conference held in Los Angeles in December this year.

How Passwords work.

Passwords are almost always encrypted on your phones, computers and in the bigger picture, by organizations when stored by them. This encryption occurs to avoid vulnerabilities with the help of an algorithm and the ensuing encryption, or hash, is stored. Here’s how hackers get up to mischief.

  • Hashes (encrypted passwords) are safer than plain passwords, the way you type them. While not impossible to figure out the plain password from a hash, it makes a hacker’s life difficult in trying to ascertain the password.
  • To hack the hash, hackers use brute-force methods such as creating entire lists of words that could contain the password and cross-computing the encrypted has to see if a match is found. It takes time and is exhausting and that’s exactly what hashes are for. Making it difficult for anyone trying to ascertain the encrypted passwords.
  • To shorten the time needed, hackers use programs such as John the Ripper, which fetch and use large password lists from several data breaches where the hashes have already been figured out. These ‘hacked’ hash lists get bigger every-day as users neglect to create strong passwords.

How ErsatzPasswords works

Before a password is encrypted, ErsatzPasswords adds an additional step by running the hash through a hardware-dependent function, according to Almeshekah. This additional step adds a specific characteristic to the password, which then makes it impossible to revert back to plain text without accessing the module first.

“ErsatzPasswords exerts a bit of control over the salt that is added to the password so that what comes out of the hardware security module resembles a password, albeit a fake one,” says Almeshekah.

If a hacker were to then get a list of matches with all the hashes, the passwords wouldn’t work. The hacker wouldn’t be aware of this until trying the passwords to access a service.

What’s more, ErsatzPasswords can also be configured by clients to alert the web admin when a fake password is entered. Cleverly, it also allows a fake account to be created when set up with a fake password, to give a bird’s eye view of the hacker’s activities thereafter.

ErsatzPasswords is especially easy to configure among servers, with the code being made freely available on GitHub. It is published under an Apache open-source license.