A new password storage system claims to be able to protect even the most common passwords like “123456” and “password.”
Security researchers at Smart Crib, a company working to protect against hackers, have developed a system that scrambles user passwords stored on servers to increase protection. S-CRIB Scrambler uses hardware that holds encryption keys to scramble passwords using SHA1-HMAC, a keyed-hash message authentication code. The system is a one-way cryptographic function with a key that is only available inside the Scrambler and does not get stored on a server using the system.
(Related: ‘123456’ tops ‘password’ as most common password of 2013)
“What we try to do with the Scrambler is to provide administrators with a tool to protect their online systems and minimize the impact of successful attacks,” said Dan Cvrcek, founder of Smart Crib.
S-CRIB Scrambler resides in Raspberry Pi, making it an inexpensive but powerful platform for the system, according to Cvrcek. The system uses four sets of keys: HMAC-SHA1, a 32-character key for encrypting communications to the server, an API key, and a 10-character key.
“As long as the encryption key is kept secret, all passwords are secure, regardless of their own strength,” wrote Cvrcek on the University of Cambridge’s Light Blue Touchpaper blog. “Even if passwords were just one letter, the attacker would not be able to find out from their scrambled values.”
Smart Crib describes the Scramble process below, using WordPress as an example:
1. User enters her password (“123456”).
2. The password gets to the verification code—either in the core or to a plug-in if there is one.
3. WordPress will send the password to a Scrambler and receive back an encrypted value (6C93BBFA75C81B4A9F3AEA443E7FFB7E8599B391).
4. It reads an encrypted value from the database and compares it with 6C93BBFA75C81B4A9F3AEA443E7FFB7E8599B391. If the values match, the user logs in. If not, the user has to try again.
More information about the S-CRIB Scrambler is available here.