Researchers at Purdue’s CERIAS group have developed a way of strengthening traditional password authentication against sophisticated attacks. Not only is the defense practical — you can download the PAM security module from GitHub — but it also includes a built-in alarm that warns you when attacker try to use decoy passwords they believe they have cracked.
You can’t secure a system that stores plaintext passwords. It doesn’t really help to encrypt the passwords, either, because anything that has been encrypted can be decrypted. You store the hash of the password.
A hash is a one-way function. You can easily calculate the hash of any input, but if you’re given a hash output it’s not practical to discover an input that would generate it. The result is that the system doesn’t know your password, but it can test to see if you know it — calculate the hash of whatever you typed and see if it matches the stored value.
Then people realized that someone might examine the list of hashes and find duplicates occurring when two people happen to select the same password. Worse yet, what if one of those two was the person looking at the list, and even worse, they were the sort of person who would abuse this discovery.
There was also the concern, just theoretical at the time, that someone might pre-calculate an exhaustive table of all possible hashes and the inputs that generate them.
Something called the salt was added. A random salt value is generated when a new password is set. The system then stores that user name, their salt, and the result of hashing the combination of their password and that salt. When someone claiming to be that user tries to authenticate in the future, the system challenges them for their password. It then appends that user’s stored salt to the typed password, calculates the hash of that combination, and compares it to the stored hash.
The salt increases the search space to astronomical size. If you do the math (and I have), the total data storage capacity in the world is only a tiny fraction of what would be needed to store a lookup table for every possible salt.
Furthermore, the file containing the
user,salt,hash database has permissions restricting general readability. The file is
/etc/shadow on most UNIX-family operating systems including Linux, or
/etc/master.passwd on BSD and derivatives.
Users only take advantage of a tiny fraction of possible search space when selecting passwords, because the passwords have to be remembered and typed, and human nature limits us to simpler, less random, strings. We tend to build our stronger passwords from chunks, but those chunks or at least their general forms tend to be reused by ourselves and others.
Past password breaches and successful cracks suggest chunks to try in later attacks. Meanwhile, hash calculation speed has exploded with the use of GPU or Graphics Processor Units, effectively 128-core (and up) processors with fast clocks.
A short description is that they use an HSM or Hardware Security Module as an additional step. After hashing the password-salt combination, the HSM transformation is applied to that output. Then the combination of that output and the salt is sent through the same hash function. See the researchers’ overview and their paper for the full details.
The result is data that an attacker cannot distinguish from the original scheme. An attacker might assume that the normal scheme is being used and expend a lot of computation. They will eventually discover what appear to be passwords, but which don’t work. An attacker on that system might be able to tell that this modified scheme is being used, but due to the nature of the HSM they wouldn’t know what transformation is really being applied.
The part that really sets this work apart is that careful selection of the HSM function and the salts can make the false passwords “discovered” by the attack resemble typical user passwords.
Hence the name. If an attempted login uses an “ersatz password” known to be bogus, then it’s almost certainly the result of an attacker accessing at least the hash for that user and expending a lot of work.
In Learning Tree’s Linux server administration course we show you how to use PAM, Pluggable Authentication Modules, to control user authentication. The creators of ErsatzPassword have put a PAM module on GitHub so you can try this out. You will just need a Yubikey HSM to start using it.