Categories: SecurityWorkspace

Brit Boffs Create Hardware Scrambler To Counter Password Leaks

A hardware-based protection against password breaches has been developed by an ex-University of Cambridge student, using Raspberry Pi hardware, claiming it will make password cracking close to impossible.

If they have stolen databases of passwords, the hacker would have to have acquired the trusted hardware component, the Scrambler, developed by the Cambridge-based crew.

The solution involves an additional encryption key in the security chain stored in a USB dongle, producing what is known as a hash-based message authentication code (HMAC). The initial trials connected the Scrambler to Raspberry Pi devices.

Overcoming password problems

It was determined the dongle could scramble 330  passwords per minute remotely, but more throughput could be created by clusters of Scrambles that share the load.

The Scrambler costs £39. There is also an option for servers running in virtualised environments.

“We have developed a system that uses a trusted hardware component to ‘scramble’ user passwords. This trusted hardware holds encryption keys that scramble passwords (using SHA1-HMAC) and one needs this hardware to do any password attack,” read a blog post from Dan Cvrcek, a former University of Cambridge student, who has set up a company selling the Scrambler, Smart Crib.

“Our way of password scrambling is to compute message authentication code with SHA1-HMAC. This is a one-way cryptographic function with a key. This key is only available inside the trusted hardware device (Scrambler).

“As long as the encryption key is kept secret, all passwords are secure, regardless of their own strength. Even if passwords were just one letter, the attacker would not be able to find out from their scrambled values.”

Cvrcek has now asked the wider security community to check the quality of the technology.

Not all onlookers are impressed by the technology, however. “I like the wordpress API idea concept… but that kind of thing is done better and before by companies like Stormpath,” said Javvad Malik, analyst at 451 Research. “Interesting concept – but nothing I’d call groundbreaking or new.”

Think you know security? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago