Categories: SecurityWorkspace

Brit Boffs Create Hardware Scrambler To Counter Password Leaks

A hardware-based protection against password breaches has been developed by an ex-University of Cambridge student, using Raspberry Pi hardware, claiming it will make password cracking close to impossible.

If they have stolen databases of passwords, the hacker would have to have acquired the trusted hardware component, the Scrambler, developed by the Cambridge-based crew.

The solution involves an additional encryption key in the security chain stored in a USB dongle, producing what is known as a hash-based message authentication code (HMAC). The initial trials connected the Scrambler to Raspberry Pi devices.

Overcoming password problems

It was determined the dongle could scramble 330  passwords per minute remotely, but more throughput could be created by clusters of Scrambles that share the load.

The Scrambler costs £39. There is also an option for servers running in virtualised environments.

“We have developed a system that uses a trusted hardware component to ‘scramble’ user passwords. This trusted hardware holds encryption keys that scramble passwords (using SHA1-HMAC) and one needs this hardware to do any password attack,” read a blog post from Dan Cvrcek, a former University of Cambridge student, who has set up a company selling the Scrambler, Smart Crib.

“Our way of password scrambling is to compute message authentication code with SHA1-HMAC. This is a one-way cryptographic function with a key. This key is only available inside the trusted hardware device (Scrambler).

“As long as the encryption key is kept secret, all passwords are secure, regardless of their own strength. Even if passwords were just one letter, the attacker would not be able to find out from their scrambled values.”

Cvrcek has now asked the wider security community to check the quality of the technology.

Not all onlookers are impressed by the technology, however. “I like the wordpress API idea concept… but that kind of thing is done better and before by companies like Stormpath,” said Javvad Malik, analyst at 451 Research. “Interesting concept – but nothing I’d call groundbreaking or new.”

Think you know security? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, to help it restructure…

11 mins ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

15 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

18 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

19 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

20 hours ago