Can this $70 dongle stem the epidemic of password breaches?

  • 10 March 2014
  • 4 replies
  • 763 views

Userlevel 7
Badge +54
Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords—even the most common and weak ones such as "123456," "password," and "letmein."

The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge's Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.
 
Full Article

4 replies

Userlevel 7
Badge +56
What happens if your hardware dongle dies?  Or if someone walks off with it?
Userlevel 7
Badge +54
I got this from their website:
"Ultimately, instead of calling a hash function to scramble passwords entered by users, the server calls a web service (hosted locally or remotely) to do it. This web service scrambles passwords with a “keyed cryptographic function”. The key is not possible to read from the hardware device once it is initialised. This makes the system perfectly secure for almost any commercial application."
 
From that I would imagine that the device does not store the passwords unless I am reading it wrong.
Userlevel 7
Badge +56
Ah, that makes more sense.
Userlevel 5
Don't scare me with it dieing nic please!

Reply