Hacker Newsnew | comments | show | ask | jobs | submit login
user:zaroth
created:1315 days ago
karma: 4377
about: I love coding. I've worked with a variety of languages, compiled and interpreted, but probably C# the most.

Some of my endeavors; - Founder of TapLink - Co-Founder of Club Benchmarking and Dynamic Benchmarking - Bitcoin contributor (first to implement Micropayment Channels and Stealth Addresses) - Operating an honest Tor Relay

Recently I have been developing a method of securing passwords called 'Blind Hashing' which completely protects passwords at rest, even if the salts and hashes are stolen. This keeps a password safe from offline attack no matter how weak the password may be. Just launched in April, 2015 and TapLink will be at RSA 2015 exhibiting! Check it out, taplink.co.

Since you're here reading, let me give you the pitch and see what you think;

The basic premise of Blind Hashing is one of those obvious-in-retrospect ideas; instead of imposing a highly constrained runtime cost, we impose an arbitrarily large one-time cost. Blind Hashing transforms a password hash into a lookup function over a massive pool of completely random data. The result of the lookup is used to decrypt the hash and allow the authentication process to complete. A petabyte-sized data pool acts as a "data anchor" to prevent an attacker from ever cracking a single password, even if your password database is stolen. The attacker would have to steal the entire data pool, spanning hundreds of SSDs across multiple data centers, to even begin the cracking process. Dubbed "Security by Obesity" on Reddit, the data pool is so large that simply trying to transfer it over the network at full line rate would take years. The TapLink data pool acts as a common defense fund for passwords, where every dollar invested grows the size of the data pool, and increases the security for everyone using it.

We deliver the service using a trivially simple API -- 64-bytes in, 64-bytes out, which your server calls once whenever you set or verify a password. The system is incredibly scalable and high performance, since we're no longer trying to make it secure by making it slow, we complete your lookups in a few milliseconds, and our system today can already support up to 100,000 logins per second.

Everyone that uses the data pool gains the full security benefit of the data pool, while just paying for a small share of the cost. We protect passwords from offline attack for pennies per user per year. We're a fully additive solution (use it with bcrypt) on your existing password defenses, and we are the perfect compliment to multi-factor authentication for applications that require it. There's no lock-in so you can add/remove blind hashing on a user-by-user basis and if you decide you don't want it, you can deactivate it with an offline private key and be on your way. So we've really tried to make this a zero-risk win/win proposition.

If you want to use Blind Hashing in your startup for free, just email me, jeremy at taplink dot co.

submissions
comments