Inhibiting and Detecting Offline Password Cracking Using ErsatzPasswords.

In this work, we present a simple, yet effective and practical scheme to improve the security of stored password hashes, increasing the difficulty to crack passwords and exposing cracking attempts. We utilize a hardware-dependent function (HDF), such as a physically unclonable function (PUF) or a hardware security module (HSM), at the authentication server to inhibit offline password discovery. Additionally, a deception mechanism is incorporated to alert administrators of cracking attempts. Using an HDF to generate password hashes hinders attackers from recovering the true passwords without constant access to the HDF. Our scheme can integrate with legacy systems without needing additional servers, changing the structure of the hashed password file, nor modifying client machines. When using our scheme, the structure of the hashed passwords file, e.g., etc/shadow or etc/master.passwd, will appear no different than traditional hashed password files.1 However, when attackers exfiltrate the hashed password file and attempt to crack it, the passwords they will receive are ErsatzPasswords—“fake passwords.” The ErsatzPasswords scheme is flexible by design, enabling it to be integrated into existing authentication systems without changes to user experience. The proposed scheme is integrated into the pam_unix module as well as two client/server authentication schemes: Lightweight Directory Access Protocol (LDAP) authentication and the Pythia pseudorandom function (PRF) Service [Everspaugh et al. 2015]. The core library to support ErsatzPasswords written in C and Python consists of 255 and 103 lines of code, respectively. The integration of ErsatzPasswords into each explored authentication system required less than 100 lines of additional code. Experimental evaluation of ErsatzPasswords shows an increase in authentication latency on the order of 100ms, which maybe acceptable for real world systems. We also describe a framework for implementing ErsatzPasswords using a Trusted Platform Module (TPM).