May 20, 2015 By Shane Schick 2 min read

Cybercriminals use a lot of deceptive tricks to break into corporate systems, which makes a fake password project seem not only ingenious, but a sort of sweet revenge for beleaguered IT security staff.

IDG News Service, which first published a story about the scheme on sites such as InfoWorld, said the ErsatzPasswords program, as it is known, is the brainchild of a group of researchers from the Purdue University. It is not a completed project but an idea to be discussed at a security conference by one of its creators, Mohammed H. Almeshekah. Essentially, the fake password project describes a way of adding an element to a password via hardware before it is encrypted. As a result, cybercriminals who try to break into a leaked database would be presented with fake passwords, which would take them time to work through before they realize they’ve been duped.

As Effect Hacking noted, source code for ErsatzPasswords is already available for review on Github and takes advantage of the “hash,” or algorithms used to encrypt passwords, by using a “salt,” or extra value created for a service. Unless cybercriminals could get access to the module that was part of the ErsatzPassword process, it is unlikely they would find a way to get full access to a system without some brute-force type of attack. In other words, even if the Purdue researchers’ idea doesn’t completely protect corporate data, the fake password project could make it a lot harder for cybercriminals to steal data or do other kinds of damage.

Of course, malicious attackers are not without their resources and typically use third-party services to get lists of commonly used passwords to make their lives easier. But according to forensic security consulting firm LIFARS, the ErsatzPasswords fake password project would not only make such lists relatively useless, it could also allow network administrators to set up alerts when someone tries to use a fake password to hack into a compromised database. That might enable enterprises to take action before critical information winds up in the wrong hands.

The potential for passwords to be discovered or used against organizations has risen in recent years, to the point where some experts have suggested doing without them entirely. A PayPal executive, for example, recently suggested biometric identifiers might one day offer a compelling and safer alternative, even to encrypted passwords. Until then, it might be worthwhile for IT departments to consider whether ErsatzPasswords could be layered onto their existing security practices — if only because it might make cybercriminals’ lives a little more miserable.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today