TapLink Rethinks Password Security with Blind Hashing
Passwords are often a weak security link but they don't have to be, says security startup TapLink.
Attackers often go after simple user passwords that can then be leveraged for broad breaches of user information. Security startup Taplink is among the many companies that are trying to help solve the password challenge. But instead of taking the increasingly common approach of building a two-factor password solution, TapLink aims to harden password storage.
Jeremy Spilman, CTO and founder of TapLink, got the idea for his company in 2012 when his own password was stolen in the LinkedIn data breach that occurred that year. Spilman has managed to raise $300,000 in seed funding to create the TapLink technology, which has been in private beta since 2013 and emerged from stealth at the end of April.
"Our mission is to restore trust in passwords and our technology prevents offline attacks, which is the biggest vector for how passwords are stolen today," Spilman told eSecurity Planet.
Protecting Passwords with Blind Hashing
Iterative hashing has long been used to protect passwords at rest and it's an approach that can be improved upon, Spilman said. The TapLink approach uses a technique known as blind hashing. Instead of trying to make hashing slow in a bid to make it more difficult for an attacker to decrypt, blind hashing uses a massive pool of random data, he explained. An attacker would have to steal all of that random data in order to crack even a single password.
"We change the model completely, from one where we just hope that passwords are complicated enough so attackers can give up before they crack them, to a model where the attacker has to steal an unbounded data pool," Spilman said. "We grow the data pool as more people join, and the security for every password we protect as a result gets better."
So far, Spilman said TapLink has protected approximately one million logins with its technology.
Many in the security community have suggested that using salted hashing is a best practice for improving password security. Spilman explained that with a salted hash a password is run through a one-way function in a bid to slow the speed with which a hash can be decrypted.
"So if an attacker steals salted hashed passwords, the attackers will just make guesses to try and get a match," Spilman said. "If they get a matching result, then they know they have cracked the password."
Spilman emphasized that simply trying to make hashing functions slow isn't enough, as CPU power continues to grow. TapLink's blind hashing system uses a very different approach, he said. TapLink blind hashing involves an API request in which the user's organization sends TapLink 64 bytes and TapLink responds with 64 bytes.
"Just by trading the 64 bytes back and forth, for an attacker to run an offline attack they have to steal all of our data, and we have literally made the data too big to steal," Spilman said.
There is a catch, though. For TapLink's system to work, a user will need availability and connectivity to the TapLink server.
Spilman said TapLink's solution is ideal for Web authentication and can be used in traditional environments as well.
"One of the key things we've done to enable high-availability is that our system doesn't actually store passwords; it's just random data," Spilman said. "The whole system is effectively stateless, and we have three data centers that can operate independently of each other."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.