NoCrack: Protect Passwords With Fake Ones?

Security Via Sheer Annoyance?

A recent whitepaper (Cracking-Resistant Password Vaults using Natural Language Encoders) is not light reading, but if you’re interested in information security, you’re going to want to check it out. It explains a new type of password manager dubbed NoCrack. They have a good write-up about it over at IT World, but we’re going to break it down for you as well. This is not the first time this type of security has been used (see: Kamouflage), but many are saying NoCrack does a much better job.

What’s So Special About NoCrack?

NoCrack is special in that if it’s hacked, it will give the attackers a list of FAKE passwords. This can make it extremely difficult to know if they’ve actually cracked the master password protecting all the others. Current password managers store a list of your passwords in an encrypted file.

While that’s good, if that encrypted file is stolen from your computer (which is more common than you might think), black hats can use brute force techniques to eventually figure out the master password and get access to all the rest. NoCrack is different.

Even if malicious people steal your computer or get access to the file of passwords, the first time they guess wrong, a new “vault” of fake passwords is generated. As you might imagine, this can make it crazy difficult for the bad guys to actually know if they get the goods or not.

Sounds Great! Any Problems?

Well, if a legitimate user accidentally mistypes their master password, a fake vault of passwords is still created. And yes, that could mean the person is forever locked out from getting their information. Luckily, they’re working on solutions for this , according to Rahul Chatterjee, co-author of the paper, who is in the master’s program at the University of Wisconsin in Madison. (Co-authors of the paper, presented at the IEEE Symposium on Security and Privacy, are Joseph Bonneau, Ari Juels and Thomas Ristenpart.)

Can I Download and Use it Right Now?

Alas, no – NoCrack is a proof of concept only at present, with no plans for a commercial version, according to Chatterjee. However, the fact that smart people are looking into ways to keep our information safer is a good thing that should be applauded. (If you have a unique way to keep passwords safe and secure, leave a comment below!)

What Does /. Have to Say on the Matter?

Here’s a quick roundup of some of the highlights from the conversation about this over at Slashdot.

The SSL Takeaway

Do you have trouble remembering passwords? Hopefully you don’t use the same one for every user account or email address you have on the internet. While it can be difficult to juggle numerous passwords, it’s worth the time to make sure yours are secure and that you change them frequently.