There are lots of ways hackers get passwords, including phishing and Web page scraping. Outright theft of an entire password database is another.
If such a database is properly protected, that shouldn’t be a problem. But sometimes it is cracked because organizations are sloppy — for example, not salting in addition to hashing passwords — or because hackers are able to use the power of botnets to crack encryption.
Jeremy Spilman, one of the victims of the 2012 theft of over 6 million LinkedIn passwords, took the experience to come up with what he thinks is a better idea: So-called “blind hashing” with a massive pool of random data to protect password databases.
Spilman is founder and CTO of a cloud service called TapLink, which came out of stealth on Tuesday.
“Essentially, we make the data too large to steal, since we control the network and the size of the data pool,” he said in an interview.
Hashing helps disguise a password. But, Spilman said, the goal of standard hashing is to merely make an attacker give up because it takes so long to crack the encryption. That’s not true any more thanks to improved computer power, he said.
Blind hashing changes a password hash into a lookup function within a massive pool of completely random data. The result of the lookup is used to decrypt the hash and allow the authentication process to be completed with no latency impact to the log in process, the company says.
A petabyte-sized data pool acts as a “data anchor” to prevent an attacker from ever cracking a single password. In order to begin the password cracking process, an attacker would have to steal the entire data pool, spanning hundreds of solid state drives across multiple data centers. The more customers the company has, the greater the size of the pool.
Spilman says the TapLink data pool is so large that trying to transfer it over the network at full line rate would take years.
Subscribers use an API to connect TapLink to their applications. The service comes in two versions:
–A public cloud-based service that starts at US$39 a month for five applications and 10,000 hashes/ logins a month (there’s a free version for one application and 1,000 logins a month). There are also $89 and $349 a month versions;
–and a private cloud run by a dedicated on-premise appliance for those who can’t use a public cloud for security. It is priced by the terabyte.