Solution to Bulk Password Theft
It has been reported that a British firm Digital Safe is said to have come up with a solution to bulk password theft with £1m funding to launch this project. A special box has been designed by Digital Safe , a piece of hardware which tends to store passwords, separate from the network. High profile hacks at firms comprising of TalkTalk, Ashley Madison and Vtech had been exposed last year with millions of user’s passwords.
One of the most common kinds of cyber-attack is online identity theft and it tends to leave huge organisations with financial as well as reputational losses. Dr Will Harwood, and Roger Gross, founders of Digital Safe first came up with the solution, which was dubbed Password Protect, as a speculative application. Dr Harwood had informed BBC that they were seeing large scale theft of passwords becoming an increasing problem and conventional security techniques were proving to be ineffective’.
A commercial ability in the idea was seen. Software seems to be prone to flaws and bugs and hence their initial step was in designing modified hardware which would be effectively hard-coding a chip and ensures that it did not run an operating system or any other conventional software. According to the founders, the design tends to make it impenetrable through conventional attack routes.
Box Designed to Store Passwords
The box has been designed to be secure with only one purpose of storing passwords. It tends to run on 10,000 lines of code which is far less than that used for a back-end database, wherein passwords are usually stored. There seems to be no conventional interface with the back-end systems, though it does enable web servers to send login identifications to the system to authenticate passwords.
At any point of time, it does not reveal these passwords. It has been acknowledged by Dr Harwood that hackers capable of accessing the back-end database of the organisations could question the box, but he has built in a safety feature. He had informed BBC that after four attempts to authenticate the password, the account could be flagged to the system administrators.
The device has been tested by various large UK companies, comprising of retail bank as well as telecoms firm. It is due to be launched in April wherein firms would have to pay an upfront cost of about £100,000 and would also have to put up with on-going maintenance fees.
Easy to Install & Use with Prevailing Infrastructure
Dr Harwood has mentioned that it is easy to install and use with the prevailing infrastructure and the box could be only inserted into the existing server racks which needs a few hundred lines of new code from the IT managers. However, not all were convinced that it would be the answer against the bulk password theft. A computer security expert from the University of Surrey, Alan Woodward had mentioned that `the system assume that we all practice proper password hygiene and do not have the same passwords for different accounts. Evidences suggest that this is not the case. It could also encourage laziness in the IT department of huge firms’.
He further added that `one want developers to know what you are doing including knowing how to store data correctly, it would be preferable to pay £100,000 for a box which is engineered for a specific purpose’. According to the firm, the Cambridge start-up remains confident in its solution. Last year it had launched a hacker challenge welcoming anyone to steal 100 encrypted passwords from the system. More than 2.5 million attempts, till date had been made, though none had been successful.