The beauty is on the server side since only one password file needs to be stored. "Even if we want to verify the real password, we don't need a different file," Almeshekah said.
Almeshekah said the researchers used a fairly cheap hardware security module from Yubico called the YubiHSM that costs around US$500. For a large numbers of users, a more advanced type of hardware security module would be needed for better performance, which could cost $10,00 and up, he said.
But setting up ErsatzPasswords on the server side is pretty easy, he said, and the code is available on GitHub. It's free and is published under an Apache open-source license.
The research paper was co-authored by Christopher N. Gutierrez, Mikhail J. Atallah and Eugene H. Spafford, all of Purdue's Information Assurance and Security group.
Sign up for CIO Asia eNewsletters.