Startup offers another way to protect password databases

There are lots of ways hackers get passwords, including phishing and Web page scraping. Outright theft of an entire password database is another.

If such a database is properly protected, that shouldn’t be a problem. But sometimes it is cracked because organizations are sloppy — for example, not salting in addition to hashing passwords — or because hackers are able to use the power of botnets to crack encryption.

Jeremy Spilman, one of the victims of the 2012 theft of over 6 million LinkedIn passwords, took the experience to come up with what he thinks is a better idea: So-called “blind hashing” with a massive pool of random data to protect password databases.

Spilman is founder and CTO of a cloud service called TapLink, which came out of stealth on Tuesday.

“Essentially, we make the data too large to steal, since we control the network and the size of the data pool,” he said in an interview.

Hashing helps disguise a password. But, Spilman said, the goal of standard hashing is to merely make an attacker give up because it takes so long to crack the encryption. That’s not true any more thanks to improved computer power, he said.

Blind hashing changes a password hash into a lookup function within a massive pool of completely random data. The result of the lookup is used to decrypt the hash and allow the authentication process to be completed with no latency impact to the log in process, the company says.
A petabyte-sized data pool acts as a “data anchor” to prevent an attacker from ever cracking a single password. In order to begin the password cracking process, an attacker would have to steal the entire data pool, spanning hundreds of solid state drives across multiple data centers. The more customers the company has, the greater the size of the pool.

Spilman says the TapLink data pool is so large that trying to transfer it over the network at full line rate would take years.

Subscribers use an API to connect TapLink to their applications. The service comes in two versions:

–A public cloud-based service that starts at US$39 a month for five applications and 10,000 hashes/ logins a month (there’s a free version for one application and 1,000 logins a month). There are also $89 and $349 a month versions;

–and a private cloud run by a dedicated on-premise appliance for those who can’t use a public cloud for security. It is priced by the terabyte.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now