Back to Home

Cracking-Resistant Password Vaults using NLE

Abstract

Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password. User memorizes only the master password to access all of their passwords. Password vaults reduce the burden on users of remembering passwords, but introduces a single point of failure. An attacker that obtains a user’s encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks.

Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults—-the only one which we are aware of—-actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible- looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called NoCrack.

Paper     Slides

@inproceedings{chatterjee2015cracking,
      title        = {{C}racking-resistant password vaults using natural language encoders},
      author       = {Chatterjee, Rahul and Bonneau, Joseph and Juels, Ari and Ristenpart, Thomas},
      booktitle    = {Security and Privacy (SP), 2015 IEEE Symposium on},
      pages        = {481--498},
      year         = {2015},
      organization = {IEEE}
 }

News Coverage


  • IT World The best way to protect passwords may be creating fake ones.
  • SSL.com NoCrack: Protect Passwords With Fake Ones?
  • GitHub

    The github link is:  https://github.com/rchatterjee/nocrack.
    Most of the datasets are taken from https://wiki.skullsecurity.org/index.php/Passwords

    Datasets used

    1. RockYou:

      http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 (57 MB)
    2. MySpace:

      http://downloads.skullsecurity.org/passwords/myspace-withcount.txt.bz2 (178 KB)
    3. Yahoo:

      https://pages.cs.wisc.edu/~chatterjee/datasets/yahoo-withcount.txt.bz2 (1.7 MB)