Now, a manager that creates decoy password vaults

A group of researchers has developed a type of password manager that creates decoy password vaults if a wrong master password is supplied.

Password managers are a way to supply random, unique passwords to a high number of websites. But usually, a single master password unlocks the entire vault.

A paper on the experimental software is called NoCrack and will be presented on May 19 at the IEEE Symposium on Security and Privacy in San Jose, California.

According to the pcworld.com, NoCrack is intended to make it much more time-consuming and difficult for attackers to figure out if they have cracked the system.

Rahul Chatterjee, a master's student at the University of Wisconsin in Madison and co-author of the paper is quoted as saying that as an attacker, we have no idea which vault is the real one, so we are left with no other option but to try the passwords on websites.

The problem with password managers is that they store all of their passwords in an encrypted file. That file if stolen can then be subjected to attacks, in which hundreds of thousands of passwords are tried in quick succession.

If an incorrect password is entered, it is easy for an attacker to know it is wrong. The file that is generated is junk and the attacker does not have to bother trying the credentials at an online web service, Chatterjee said

Chatterjee also said that NoCrack generates a plausible looking password vault for every wrong guess, an unlimited number of decoys. The only way to figure out if the credentials are accurate is to try them online.

Since most online services limit the number of password guesses, attackers would not get many chances to try out the decoy vaults, Chatterjee said.

Chatterjee further said the approach is costly and slow.

Another system, called Kamouflage, is similar, but Chatterjee claims his team found a weakness in how it generates decoy master passwords.

According to the paper, NoCrack uses natural language encoding (NLE) algorithms, which have also been used by people trying to crack passwords. NLE algorithms decode a uniformly selected bit string and generate a fresh sample of natural language text.

The researchers have found that using NLE made NoCrack resistant to simple machine-learning attacks aimed at sifting the real vault from the fake ones.

There is one large problem, if a person mistypes a password, than a fake vault is generated and a user is locked out of his or her accounts.

Chatterjee said they are working on solutions.

There are no plans yet to commercialize NoCrack, Chatterjee said. The paper was also co-authored by Joseph Bonneau, Ari Juels and Thomas Ristenpart.