The system, called ErsatzPasswords (German for: Replacement Password ), should make it much harder for hackers to crack passwords. That could especially come in handy with data breaches, where cybercriminals gain access to a lot of hashed passwords from the leaks.
Since passwords are normally encrypted (storing a plain-text password would be a huge security risk!) hackers need to decrypt them somehow. A common approach would be the brute-force attack, where one would try guesses repeatedly for the password and check them against the available cryptographic hash of it. Ordinary desktop computers can test over a hundred million passwords per second using password cracking tools like John the Ripper. And that’s where ErsatzPasswords comes into play:
“[…] when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatz passwords — the “fake passwords”. When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system that someone attempted to crack the password file”, says Mohammed H. Almeshekah, one of the authors of the paper. “Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server.”