I recently read an article from facebook on password cracking. It got
me thinking about how useful dedicated hardware might be for hashing
passwords.
Source:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Fairly basic stuff (MD5, brute & dictionary), however there was some
neat insight into "combinator" attacks which made me revisit several of
my passwords.
I've been thinking about how "breaches" with big companies could be
avoided. One comment stuck out, "whatever vulnerability was used to
dump the password database can also be leveraged to see the exact
algorithm used to store the passwords in the database."
Raises the question, how could you prevent this? At first I thought
about kernel level protection, then realized I can't think of anything
root doesn't have access to other than "proprietary" hardware.
Suppose you had a PCI card that generated a digest from input. Without
knowing the algorithm, you could safely hash a password for storage or
comparison to storage. Any retrieval of your password database would be
pointless without the algorithm, in turn the hardware itself. In the
event of a database breach, you destroy the device.
Am I over-thinking this? This might be a fun exercise with my Arduino
on my OpenBSD machine.
