Most websites have an Achilles’ heel, which is a single master password to unlock the entire vault. A group of researchers have developed a type of password manager that creates decoy passwords vaults if a wrong master password is supplied.
On May 19 at the IEEE Symposium on Security and Privacy, NoCrack was presented in San Jose, California. NoCrack was designed to make it much more time-consuming and difficult for attackers to figure out if they have hit pay dirt.
One main problem with password mangers is that they store all of their passwords in an encrypted file and if that file is stolen, can be subjected to so-called brute force attacks, which thousands of passwords are tried in quick succession.
Rahul Chatterjee, a master’ student at the University of Wisconsin in Madison said if an incorrect password is entered, it’s easy for an attacker to know it’s wrong. The file that is generated is junk and the attacker doesn’t have to bother trying the credentials at an online web service.
Chatterjee said they’re working on solutions, but no plans as of yet to commercialize NoCrack.