Skip to content ↓ | Skip to navigation ↓

A group of researchers have created a “simple, yet effective and practical,” approach to bolstering the security of stored passwords – a scheme they believe could put an end to password cracking.

Dubbed Ersatz Passwords, the system is indented to fool hackers by providing a fake or decoy password, said Mohammed Almeshekah, doctoral student at Purdue University.

“We eliminate the possibility of any offline password cracking without physical access to the target’s machine,” explained the researchers.

In their detailed research paper, the students state that although a hacker could ultimately still crack the file, the fake password would essentially make the user’s credentials unusable.

Organizations storing user passwords in their database typically protect the data by storing them in a “hashed” or “salted” format – making it difficult, and time-consuming, for attackers to crack the original password by brute-force or other techniques.

The researchers utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server.

According to the students, the scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications.

“When using this scheme, the passwords’ hashes file will appear no different than a traditional file, and if an attacker uses traditional cracking tools to recover users’ passwords, he will discover ‘fake passwords’ that will trigger an alarm when used,” read the report.


Screen Shot 2015-05-21 at 11.05.54 AM
Source: CERIAS, Purdue University

After an attempt to login using the Ersatz Passwords is detected, the system will alert the organization that an attempt to crack the password has been made.

Almeshekah added that the system can also be configured to automatically create a fake account when a fake password is entered, allowing an admin to see what the attacker is trying to hack.

Tripwire University
  • ErsatzPasswords exerts a bit of control over the salt that is added to the password so that what comes out of the hardware security module resembles a password, albeit a fake one