UMBC Cyber Defense Lab
Blind Hashing; a new way to secure
passwords against offline attack
Jeremy Spilman
Founder/CTO of TapLink
11-12 Friday 27 March 2015, M/P 101, UMBC
passwords against offline attack
Industry best practice is to secure passwords using a tunable hashing algorithm; pick the right hashing algorithm, tune its cost factors so it runs slowly and makes optimal use of your hardware, and it’s possible to protect very strong passwords from being cracked. However when average password strength and login latency requirements face off against bot-nets and GPU powered dictionary attacks, the vast majority of passwords are easily cracked. Blind hashing entangles password hashes with a massive pool of random data, so large it cannot be stolen over the network. A simple protocol allows any number of sites to share a centralized petabyte-scale data pool, amortizing the cost for defenders, while protecting low-entropy passwords with minimal run-time cost. Blind hashing can also be used as a general-purpose PBKDF to protect against brute-force attacks, and providing the opportunity to add server-based access policies and revocability to the key derivation process. Following his talk, Jeremy will be happy to discuss potential research opportunities with the company for students interested in developing new implementations of blind hashing for password-based authentication and encryption services.
Jeremy Spilman is the Founder and CTO of TapLink, a startup company that is developing systems using its patented Blind Hashing technique, which can completely protect passwords against offline attack, even if the password database is stolen. He was a double major in Computer Science and Economics at Brandeis University.