Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords—even the most common and weak ones such as “123456,” “password,” and “letmein.”
The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge’s Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it’s not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.
Further Reading
Why passwords have never been weaker—and crackers have never been stronger
Thanks to real-world data, the keys to your digital kingdom are under assault.
The new method comes amid twin epidemics of website security breaches that spill password databases and a large percent of end users who use “princess,” “123abc,” and other easily guessed passcodes to safeguard their accounts. Like a similar approach unveiled last year that uses a hardware security module to encrypt hashed passwords, it’s designed to make it much harder for attackers to guess the plaintext corresponding to the hashes in a leaked database. Even if a hacker gains access to hashes protecting “123456” or other extremely weak passwords, there is no way to crack them.
“The trick is if you just get the hash from the database you can’t crack it because you don’t have the secret key that was used to create the HMAC hash, because that secret key is only in that hardware dongle,” Jeremi Gosney, a password security expert at Stricture Group who reviewed the Light Blue Touchpaper post, explained. “It’s using a secret parameter to hash the password inside that hardware dongle. You wouldn’t just be able to take the hash from the database and crack as a regular SHA1. It will look like a SHA1 hash, and you can try to crack it as a SHA1, but without knowing that key and cracking it as an HMAC SHA1 hash, you would never crack it.”
Got scale?
The $70 S-CRIB Scrambler plugs into a Raspberry Pi device, making it an inexpensive way to bolster the password storage of smaller sites. While the approach is receiving a fair amount of attention from security experts, many have raised doubts that the dongle has the horsepower or throughput larger websites require to authenticate users who number in the tens or hundreds of millions. A single dongle can scramble about 330 passwords per minute remotely over a connection with end-to-end encryption. That’s enough capacity to serve about 10,000 users. Websites can boost the amount of throughput by creating clusters of dongles that share the load. Dan Cvrcek, CTO of S-CRIB developer Smart Crib Ltd., offered schematics here that he said would allow three dongles to perform one million logins per day.
Besides doubts about whether the approach can scale to the level required by many websites, some researchers also question whether it really represents a step forward when compared to current practices. That’s because S-CRIB uses a single SHA1 iteration to convert plaintext into hashes. Given the extreme speed and modest computational requirements of SHA1, that means very few resources are needed to crack huge numbers of hashes in the event the HMAC key is somehow compromised.
“The security relies on keeping that key a secret,” Gosney explained. “If the key is compromised, then the security is about as strong as a salted SHA1, uniterated. That would be fine if you can guarantee the key will not be compromised. The problem is you can’t guarantee that.”
Other questions involve how, or if, the key is backed up. If not, that could produce big problems in the event a hardware failure destroys the key. If the key is backed up, on the other hand, the question is how to do so in a way that can’t be exploited by hackers.
Whatever the merits of currently using the S-CRIB Scrambler in production environments, it’s worth taking a look. What makes it attractive is the way it attempts to tackle one of the biggest problems on the Internet—users who insist on choosing weak passwords—using low cost method that requires minimal computing resources. For the time being, it’s probably safer to use straight bcrypt or another “slow” hash function to store passwords at rest, although many site administrators say the computational requirements of those schemes are too costly to be viable. It’s worth keeping an eye on alternative approaches such as the one used by S-CRIB. Eventually, one of them may make sense
via Can this $70 dongle stem the epidemic of password breaches? | Ars Technica.