Researchers
hope to stop hacking attempts
By
Rose Jenkins
The Stanford Daily
STANFORD (U-Wire) —Aware of the rampant growth of high-profile online
information thefts, a team of Stanford University computer science researchers
said they feel there is clearly a need to make Internet users’ passwords
more secure. These researchers — Colin Jackson, a computer science doctoral
student; junior Nicholas Miyake; sophomore Blake Ross; and computer science
professors Dan Boneh and John C. Mitchell — have thus created a browser
extension that helps protect passwords and is free and open to the public.
Ross started PwdHash during a project for a freshman introductory seminar taught
by Boneh in 2003-04, and the others joined the effort later. Jackson presented
a paper the team wrote about the product at the 14th annual Usenix Security
Symposium in Baltimore, Md., Aug. 3.
Many Internet users employ the same password at a variety of sites, Miyake
explained. This is a problem because hackers can steal passwords from low-security
Web sites, such as dating Web sites and then use them to circumvent the security
systems at other, more sensitive Web sites, like those of a bank, he said.
Therefore, rather than focus on the secure storage of passwords, PwdHash creates
new passwords that fool hackers. When PwdHash users visit a Web site that demands
a password, they either “choose a password that starts with the special
prefix ‘@@’ or press a special password key (F2),” according
to the research team.
This prompts PwdHash to jumble the actual password and mix it with text from
the site’s Web address, Jackson explained. If hackers try to take the
password, they will see the scrambled code rather than the actual password.
“Our solution is somewhat different than others in that we focus on protecting
the password itself rather than informing the user about whether or not they
are at a legitimate site,” Miyake said.
PwdHash is available as both a “plug-in” version, essentially a
download, for Internet Explorer (at http://crypto.stanford.edu/PwdHash/) and
Mozilla Firefox (at http://addons.mozilla.org), and as a Web-based version
that does not need to be downloaded (https://www.pwdhash.com/).
The security technique used in PwdHash also makes it a useful defense against
phishing, the common hacking strategy in which hackers set up fake Web sites
to look like their authentic counterparts, collect users’ passwords,
and then use them at other, more secure sites, Jackson said.
Because PwdHash creates scrambled passwords, hackers will unknowingly collect
false passwords which they will not be able to use at other sites.
Though it was not originally designed to prevent phishing, the PwdHash team
has also investigated and attempted to thwart other common phishing techniques,
like Javascript codes that would detect the users’ keystrokes and thus
the actual password.
“Almost all of these are scenarios that we thought about ourselves—we
would brainstorm ways that one might attack the plug-in, implement samples of
such techniques if necessary and then figure out how to defend against it,” Miyake
said.
Notably, PwdHash is not completely foolproof. Users have reported incompatibility
with certain browsers and with certain Web sites.
While an older version of the extension is available for Internet Explorer,
most of the updates are being made to the plug-in for Firefox. Also, the software
cannot completely prevent the original password from being deciphered.
Hackers could still use the “offline dictionary attack” method
to hash all possible passwords until they find a match for the one they have
stolen, thus identifying the password, Miyake explained. The feasibility of
this technique depends on the strength of the original password.
“Under this scenario it would be possible for an attacker to recover the
user’s password, but if the user wasn’t using PwdHash their password
would have been exposed without the attacker even having to do a dictionary attack,
so it does provide more protection,” Miyake said.
Users have recognized the additional protection provided by PwdHash. According
to Jackson, thousands have downloaded either the Internet Explorer version
posted on the team’s Web site about a year ago, or the Mozilla version
made available there in mid-July.
And Miyake said more than 250 people downloaded the Firefox plug-in from the
Mozilla Web site on July 29, the first day it was posted.
The researchers say they intentionally left the software’s source code
open and free, even for commercial use, because they hope anyone who wants
to will take it up and incorporate the extension’s strategies into browsers
and a broader Internet security package.
“It hasn’t gone through the kind of quality assurance process that
commercial products do,” Jackson said. “We’re hoping that someone
bigger than us with more marketing muscle will pick up the project and put it
in the hands of the average user.” |
