Brit Boffs Create Hardware Scrambler To Counter Password Leaks

Thomas Brewster,
SQL username password - Shutterstock: © hauhu

British company road testing a dongle designed to make password leaks an non-problem, but not all are convinced by it

A hardware-based protection against password breaches has been developed by an ex-University of Cambridge student, using Raspberry Pi hardware, claiming it will make password cracking close to impossible.

If they have stolen databases of passwords, the hacker would have to have acquired the trusted hardware component, the Scrambler, developed by the Cambridge-based crew.

The solution involves an additional encryption key in the security chain stored in a USB dongle, producing what is known as a hash-based message authentication code (HMAC). The initial trials connected the Scrambler to Raspberry Pi devices.

Password hackOvercoming password problems

It was determined the dongle could scramble 330  passwords per minute remotely, but more throughput could be created by clusters of Scrambles that share the load.

The Scrambler costs £39. There is also an option for servers running in virtualised environments.

“We have developed a system that uses a trusted hardware component to ‘scramble’ user passwords. This trusted hardware holds encryption keys that scramble passwords (using SHA1-HMAC) and one needs this hardware to do any password attack,” read a blog post from Dan Cvrcek, a former University of Cambridge student, who has set up a company selling the Scrambler, Smart Crib.

“Our way of password scrambling is to compute message authentication code with SHA1-HMAC. This is a one-way cryptographic function with a key. This key is only available inside the trusted hardware device (Scrambler).

“As long as the encryption key is kept secret, all passwords are secure, regardless of their own strength. Even if passwords were just one letter, the attacker would not be able to find out from their scrambled values.”

Cvrcek has now asked the wider security community to check the quality of the technology.

Not all onlookers are impressed by the technology, however. “I like the wordpress API idea concept… but that kind of thing is done better and before by companies like Stormpath,” said Javvad Malik, analyst at 451 Research. “Interesting concept – but nothing I’d call groundbreaking or new.”

Think you know security? Test yourself with our quiz!