[CSEE Talk] talk: Blind Hashing; a new way to secure passwords against offline attack, 11am Fri 3/27, MP101 UMBC
Tim Finin
finin at cs.umbc.edu
Wed Mar 25 00:02:05 EDT 2015
UMBC Cyber Defense Lab
Blind Hashing; a new way to secure passwords against offline attack
Jeremy Spilman
Founder/CTO of TapLink
11-12 Friday 27 March 2015, M/P 101, UMBC
Industry best practice is to secure passwords using a tunable hashing
algorithm; pick the right hashing algorithm, tune its cost factors so
it runs slowly and makes optimal use of your hardware, and it's
possible to protect very strong passwords from being cracked. However
when average password strength and login latency requirements face off
against bot-nets and GPU powered dictionary attacks, the vast majority
of passwords are easily cracked. Blind hashing entangles password
hashes with a massive pool of random data, so large it cannot be
stolen over the network. A simple protocol allows any number of sites
to share a centralized petabyte-scale data pool, amortizing the cost
for defenders, while protecting low-entropy passwords with minimal
run-time cost. Blind hashing can also be used as a general-purpose
PBKDF to protect against brute-force attacks, and providing the
opportunity to add server-based access policies and revocability to
the key derivation process. Following his talk, Jeremy will be happy
to discuss potential research opportunities with the company for
students interested in developing new implementations of blind hashing
for password-based authentication and encryption services.
Jeremy Spilman is the Founder and CTO of TapLink, a startup company
that is developing systems using its patented Blind Hashing technique,
which can completely protect passwords against offline attack, even if
the password database is stolen. He was a double major in Computer
Science and Economics at Brandeis University.
More information about the CSEE-colloquium-out
mailing list