Categories: SecurityWorkspace

Brit Boffs Create Hardware Scrambler To Counter Password Leaks

A hardware-based protection against password breaches has been developed by an ex-University of Cambridge student, using Raspberry Pi hardware, claiming it will make password cracking close to impossible.

If they have stolen databases of passwords, the hacker would have to have acquired the trusted hardware component, the Scrambler, developed by the Cambridge-based crew.

The solution involves an additional encryption key in the security chain stored in a USB dongle, producing what is known as a hash-based message authentication code (HMAC). The initial trials connected the Scrambler to Raspberry Pi devices.

Overcoming password problems

It was determined the dongle could scramble 330  passwords per minute remotely, but more throughput could be created by clusters of Scrambles that share the load.

The Scrambler costs £39. There is also an option for servers running in virtualised environments.

“We have developed a system that uses a trusted hardware component to ‘scramble’ user passwords. This trusted hardware holds encryption keys that scramble passwords (using SHA1-HMAC) and one needs this hardware to do any password attack,” read a blog post from Dan Cvrcek, a former University of Cambridge student, who has set up a company selling the Scrambler, Smart Crib.

“Our way of password scrambling is to compute message authentication code with SHA1-HMAC. This is a one-way cryptographic function with a key. This key is only available inside the trusted hardware device (Scrambler).

“As long as the encryption key is kept secret, all passwords are secure, regardless of their own strength. Even if passwords were just one letter, the attacker would not be able to find out from their scrambled values.”

Cvrcek has now asked the wider security community to check the quality of the technology.

Not all onlookers are impressed by the technology, however. “I like the wordpress API idea concept… but that kind of thing is done better and before by companies like Stormpath,” said Javvad Malik, analyst at 451 Research. “Interesting concept – but nothing I’d call groundbreaking or new.”

Think you know security? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

17 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

18 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

19 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago