May 20, 2015 By Shane Schick 2 min read

Cybercriminals use a lot of deceptive tricks to break into corporate systems, which makes a fake password project seem not only ingenious, but a sort of sweet revenge for beleaguered IT security staff.

IDG News Service, which first published a story about the scheme on sites such as InfoWorld, said the ErsatzPasswords program, as it is known, is the brainchild of a group of researchers from the Purdue University. It is not a completed project but an idea to be discussed at a security conference by one of its creators, Mohammed H. Almeshekah. Essentially, the fake password project describes a way of adding an element to a password via hardware before it is encrypted. As a result, cybercriminals who try to break into a leaked database would be presented with fake passwords, which would take them time to work through before they realize they’ve been duped.

As Effect Hacking noted, source code for ErsatzPasswords is already available for review on Github and takes advantage of the “hash,” or algorithms used to encrypt passwords, by using a “salt,” or extra value created for a service. Unless cybercriminals could get access to the module that was part of the ErsatzPassword process, it is unlikely they would find a way to get full access to a system without some brute-force type of attack. In other words, even if the Purdue researchers’ idea doesn’t completely protect corporate data, the fake password project could make it a lot harder for cybercriminals to steal data or do other kinds of damage.

Of course, malicious attackers are not without their resources and typically use third-party services to get lists of commonly used passwords to make their lives easier. But according to forensic security consulting firm LIFARS, the ErsatzPasswords fake password project would not only make such lists relatively useless, it could also allow network administrators to set up alerts when someone tries to use a fake password to hack into a compromised database. That might enable enterprises to take action before critical information winds up in the wrong hands.

The potential for passwords to be discovered or used against organizations has risen in recent years, to the point where some experts have suggested doing without them entirely. A PayPal executive, for example, recently suggested biometric identifiers might one day offer a compelling and safer alternative, even to encrypted passwords. Until then, it might be worthwhile for IT departments to consider whether ErsatzPasswords could be layered onto their existing security practices — if only because it might make cybercriminals’ lives a little more miserable.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today