{"id":5041,"date":"2014-03-12T10:00:55","date_gmt":"2014-03-12T14:00:55","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5041"},"modified":"2014-03-12T10:00:55","modified_gmt":"2014-03-12T14:00:55","slug":"can-this-70-dongle-stem-the-epidemic-of-password-breaches","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/03\/12\/can-this-70-dongle-stem-the-epidemic-of-password-breaches\/","title":{"rendered":"Can this $70 dongle stem the epidemic of password breaches?"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords\u2014even the most common and weak ones such as “123456,” “password,” and “letmein.”<\/p>\n

The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge’s Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it’s not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.<\/p>\n

Further Reading<\/p>\n

Why passwords have never been weaker\u2014and crackers have never been stronger<\/p>\n

Thanks to real-world data, the keys to your digital kingdom are under assault.<\/p>\n

The new method comes amid twin epidemics of website security breaches that spill password databases and a large percent of end users who use “princess,” “123abc,” and other easily guessed passcodes to safeguard their accounts. Like a similar approach unveiled last year that uses a hardware security module to encrypt hashed passwords, it’s designed to make it much harder for attackers to guess the plaintext corresponding to the hashes in a leaked database. Even if a hacker gains access to hashes protecting “123456” or other extremely weak passwords, there is no way to crack them.<\/p>\n

“The trick is if you just get the hash from the database you can’t crack it because you don’t have the secret key that was used to create the HMAC hash, because that secret key is only in that hardware dongle,” Jeremi Gosney, a password security expert at Stricture Group who reviewed the Light Blue Touchpaper post, explained. “It’s using a secret parameter to hash the password inside that hardware dongle. You wouldn’t just be able to take the hash from the database and crack as a regular SHA1. It will look like a SHA1 hash, and you can try to crack it as a SHA1, but without knowing that key and cracking it as an HMAC SHA1 hash, you would never crack it.”<\/p>\n

Got scale?<\/p>\n

The $70 S-CRIB Scrambler plugs into a Raspberry Pi device, making it an inexpensive way to bolster the password storage of smaller sites. While the approach is receiving a fair amount of attention from security experts, many have raised doubts that the dongle has the horsepower or throughput larger websites require to authenticate users who number in the tens or hundreds of millions. A single dongle can scramble about 330 passwords per minute remotely over a connection with end-to-end encryption. That’s enough capacity to serve about 10,000 users. Websites can boost the amount of throughput by creating clusters of dongles that share the load. Dan Cvrcek, CTO of S-CRIB developer Smart Crib Ltd., offered schematics here that he said would allow three dongles to perform one million logins per day.<\/p>\n

Besides doubts about whether the approach can scale to the level required by many websites, some researchers also question whether it really represents a step forward when compared to current practices. That’s because S-CRIB uses a single SHA1 iteration to convert plaintext into hashes. Given the extreme speed and modest computational requirements of SHA1, that means very few resources are needed to crack huge numbers of hashes in the event the HMAC key is somehow compromised.<\/p>\n

“The security relies on keeping that key a secret,” Gosney explained. “If the key is compromised, then the security is about as strong as a salted SHA1, uniterated. That would be fine if you can guarantee the key will not be compromised. The problem is you can’t guarantee that.”<\/p>\n

Other questions involve how, or if, the key is backed up. If not, that could produce big problems in the event a hardware failure destroys the key. If the key is backed up, on the other hand, the question is how to do so in a way that can’t be exploited by hackers.<\/p>\n

Whatever the merits of currently using the S-CRIB Scrambler in production environments, it’s worth taking a look. What makes it attractive is the way it attempts to tackle one of the biggest problems on the Internet\u2014users who insist on choosing weak passwords\u2014using low cost method that requires minimal computing resources. For the time being, it’s probably safer to use straight bcrypt or another “slow” hash function to store passwords at rest, although many site administrators say the computational requirements of those schemes are too costly to be viable. It’s worth keeping an eye on alternative approaches such as the one used by S-CRIB. Eventually, one of them may make sense<\/p>\n

via Can this $70 dongle stem the epidemic of password breaches? | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords\u2014even the most […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,7,10],"tags":[325,797,950],"class_list":["post-5041","post","type-post","status-publish","format-standard","hentry","category-hardware","category-security","category-technology","tag-encryption","tag-passwords","tag-security-2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1jj","jetpack-related-posts":[{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":5041,"position":0},"title":"Are Passwords Immortal? – Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":5041,"position":1},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9511,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/01\/22\/millsplain-it-to-me-this-week-in-tech-702\/","url_meta":{"origin":5041,"position":2},"title":"Millsplain It to Me – This Week in Tech 702","author":"NCCT","date":"January 22, 2019","format":false,"excerpt":"https:\/\/youtu.be\/EtTfFJVBZ6s -Apple's Tim Cook Calls for Data Privacy. -773M Passwords Pwned - How to Find Out If Yours Was. -Amazon Tries to Make Alexa Sound \"Newsy.\" -Google Buys Fossil. -74% of Facebook Users are Clueless. -Facebook's 10 Year Challenge. -Atari Founder Making Alexa Board Games. -Stop Using Windows Phone! -Tokyo\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/EtTfFJVBZ6s\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9655,"url":"https:\/\/nccomputertech.com\/techtalk\/2021\/03\/09\/fuquay-varina-and-holly-springs-computer-repair\/","url_meta":{"origin":5041,"position":3},"title":"Fuquay Varina and Holly Springs Computer Repair","author":"NCCT","date":"March 9, 2021","format":false,"excerpt":"Welcome to our blog. NC Computer Tech services Fuquay Varina, Holly Springs, and surrounding NC areas. We offer prompt, professional, courteous service with over twenty years of experience dealing with residential and small business clients offering them solutions and fixing their computer and network issues at reasonable rates. Our services\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9337,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/06\/this-week-in-tech-665-konnichihuahua\/","url_meta":{"origin":5041,"position":4},"title":"This Week in Tech 665: Konnichihuahua","author":"NCCT","date":"May 6, 2018","format":false,"excerpt":"https:\/\/youtu.be\/DkivlhEOks8 Apple has its best Q2 ever, despite analyst predictions. 20 years of iMac. Cambridge Analytica must give US voter his data. Unroll.me foiled by GDPR. NPR buys PocketCasts. Change your Twitter password. Sprint\/T-Mobile merger. Net Neutrality vote in the Senate May 9th. Cyber Command gets a promotion.","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/DkivlhEOks8\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9378,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/07\/13\/smart-home-security-tips\/","url_meta":{"origin":5041,"position":5},"title":"Smart Home Security Tips","author":"NCCT","date":"July 13, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ESqqAf3IGok Megan Morrone and Florence Ion talk to Stacey Higginbotham about tips for securing your smart home. The advantages and disadvantages of running devices on a guest network. Plus, how do you know if your devices are getting regular firmware updates.","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ESqqAf3IGok\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5041"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5041\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}