{"id":5041,"date":"2014-03-12T10:00:55","date_gmt":"2014-03-12T14:00:55","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5041"},"modified":"2014-03-12T10:00:55","modified_gmt":"2014-03-12T14:00:55","slug":"can-this-70-dongle-stem-the-epidemic-of-password-breaches","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/03\/12\/can-this-70-dongle-stem-the-epidemic-of-password-breaches\/","title":{"rendered":"Can this $70 dongle stem the epidemic of password breaches?"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords\u2014even the most common and weak ones such as “123456,” “password,” and “letmein.”<\/p>\n

The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge’s Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it’s not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.<\/p>\n

Further Reading<\/p>\n

Why passwords have never been weaker\u2014and crackers have never been stronger<\/p>\n

Thanks to real-world data, the keys to your digital kingdom are under assault.<\/p>\n

The new method comes amid twin epidemics of website security breaches that spill password databases and a large percent of end users who use “princess,” “123abc,” and other easily guessed passcodes to safeguard their accounts. Like a similar approach unveiled last year that uses a hardware security module to encrypt hashed passwords, it’s designed to make it much harder for attackers to guess the plaintext corresponding to the hashes in a leaked database. Even if a hacker gains access to hashes protecting “123456” or other extremely weak passwords, there is no way to crack them.<\/p>\n

“The trick is if you just get the hash from the database you can’t crack it because you don’t have the secret key that was used to create the HMAC hash, because that secret key is only in that hardware dongle,” Jeremi Gosney, a password security expert at Stricture Group who reviewed the Light Blue Touchpaper post, explained. “It’s using a secret parameter to hash the password inside that hardware dongle. You wouldn’t just be able to take the hash from the database and crack as a regular SHA1. It will look like a SHA1 hash, and you can try to crack it as a SHA1, but without knowing that key and cracking it as an HMAC SHA1 hash, you would never crack it.”<\/p>\n

Got scale?<\/p>\n

The $70 S-CRIB Scrambler plugs into a Raspberry Pi device, making it an inexpensive way to bolster the password storage of smaller sites. While the approach is receiving a fair amount of attention from security experts, many have raised doubts that the dongle has the horsepower or throughput larger websites require to authenticate users who number in the tens or hundreds of millions. A single dongle can scramble about 330 passwords per minute remotely over a connection with end-to-end encryption. That’s enough capacity to serve about 10,000 users. Websites can boost the amount of throughput by creating clusters of dongles that share the load. Dan Cvrcek, CTO of S-CRIB developer Smart Crib Ltd., offered schematics here that he said would allow three dongles to perform one million logins per day.<\/p>\n

Besides doubts about whether the approach can scale to the level required by many websites, some researchers also question whether it really represents a step forward when compared to current practices. That’s because S-CRIB uses a single SHA1 iteration to convert plaintext into hashes. Given the extreme speed and modest computational requirements of SHA1, that means very few resources are needed to crack huge numbers of hashes in the event the HMAC key is somehow compromised.<\/p>\n

“The security relies on keeping that key a secret,” Gosney explained. “If the key is compromised, then the security is about as strong as a salted SHA1, uniterated. That would be fine if you can guarantee the key will not be compromised. The problem is you can’t guarantee that.”<\/p>\n

Other questions involve how, or if, the key is backed up. If not, that could produce big problems in the event a hardware failure destroys the key. If the key is backed up, on the other hand, the question is how to do so in a way that can’t be exploited by hackers.<\/p>\n

Whatever the merits of currently using the S-CRIB Scrambler in production environments, it’s worth taking a look. What makes it attractive is the way it attempts to tackle one of the biggest problems on the Internet\u2014users who insist on choosing weak passwords\u2014using low cost method that requires minimal computing resources. For the time being, it’s probably safer to use straight bcrypt or another “slow” hash function to store passwords at rest, although many site administrators say the computational requirements of those schemes are too costly to be viable. It’s worth keeping an eye on alternative approaches such as the one used by S-CRIB. Eventually, one of them may make sense<\/p>\n

via Can this $70 dongle stem the epidemic of password breaches? | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords\u2014even the most […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[3,7,10],"tags":[325,797,950],"class_list":["post-5041","post","type-post","status-publish","format-standard","hentry","category-hardware","category-security","category-technology","tag-encryption","tag-passwords","tag-security-2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1jj","jetpack-related-posts":[{"id":9031,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/09\/24\/heres-what-you-should-know-and-do-about-the-yahoo-breach\/","url_meta":{"origin":5041,"position":0},"title":"Here’s what you should know, and do, about the Yahoo breach","author":"NCCT","date":"September 24, 2016","format":false,"excerpt":"By Lucian Constantin | IDG News Service | PCWorld Yahoo\u2019s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale\u2014it\u2019s the largest data breach ever\u2014and the potential security implications for users. That\u2019s because Yahoo, unlike MySpace, LinkedIn and other online services that\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2971,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/17\/tumblr-tells-users-to-change-passwords-patches-security-hole-in-ios-apps\/","url_meta":{"origin":5041,"position":1},"title":"Tumblr tells users to change passwords, patches security hole in iOS apps","author":"NCCT","date":"July 17, 2013","format":false,"excerpt":"Tumblr, the blogging site recently acquired by Yahoo, has released a security update for its iPhone and iPad apps that it said addresses an issue that allowed passwords to be compromised in certain circumstances. Users of the apps have been advised to update their passwords on Tumblr as there is\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5724,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/12\/its-official-malicious-hackers-have-crappy-password-hygiene-too\/","url_meta":{"origin":5041,"position":2},"title":"It\u2019s official: Malicious hackers have crappy password hygiene, too","author":"NCCT","date":"June 12, 2014","format":false,"excerpt":"Given the amount of time malicious hackers spend bypassing other people's security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don't, according to a recent blog post documenting some of their sloppiest password hygiene. The post\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6128,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/05\/mozilla-warns-of-leaky-developer-network-database\/","url_meta":{"origin":5041,"position":3},"title":"Mozilla warns of leaky developer network database","author":"NCCT","date":"August 5, 2014","format":false,"excerpt":"Mozilla\u2019s website for developers leaked email addresses and encrypted passwords of registered users for about a month due to a database error, the organization said Friday. Email addresses for 76,000 Mozilla Development Network (MDN) users were exposed, along with around 4,000 encrypted passwords, wrote Stormy Peters, director of development relations,\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8935,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/31\/myspace-hack-puts-at-least-360-million-users-at-risk\/","url_meta":{"origin":5041,"position":4},"title":"Myspace hack puts at least 360 million users at risk","author":"NCCT","date":"May 31, 2016","format":false,"excerpt":"By Shawn Knight | TechSpot Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years. Time said earlier today that it first became aware shortly before\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3166,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/12\/password-thieves-target-blogs-content-management-sites\/","url_meta":{"origin":5041,"position":5},"title":"Password thieves target blogs, content management sites","author":"NCCT","date":"August 12, 2013","format":false,"excerpt":"Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers use a short-term gain for a bigger payoff later on. Such sites are attractive targets because they tend to be less secure than other environments\u2014such as financial services\u2014and since they're\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5041"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5041\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}