Dubbed ErsatzPasswords, the system is aimed at throwing off hackers who use methods to ‘crack’ passwords. Passwords are typically encrypted when stored by organisations. The passwords are encrypted using an algorithm, and that output - called a hash - is stored. Hashes are considered safer to store than plain-text passwords.
To do that, hackers use brute-force techniques, which involve creating lists of words that could be possible passwords and computing their hash to see if a match is found. To cut down on that time, hackers use programs, which can draw on large lists of passwords from different data breaches whose hashes have already been calculated.
ErsatzPasswords adds a new step. Before a password is encrypted, it is run through a hardware-dependent function, such as one generated by a hardware security module. That step adds a characteristic to a password that makes it impossible to restore it to its accurate plain text without access to the module. The result is that if a hacker starts to get matches on a list of hashes, all of the passwords will not work. The hacker would not know that necessarily until he or she tried them to access a service.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now