2006 Horizon Awards Winner: Stanford University's Password Hash
A browser plug-in helps customize a user's password for each site, putting a stop to Web spoofing.
In May 2006, nearly 12,000 malicious phishing Web sites were identified by the Anti-Phishing Working Group, a Los Altos, Calif.-based industry association focused on eliminating the scams. That's up from 3,300 sites a year earlier.
Phishing scams trick users into sending their passwords to an unintended Web site -- often unlocking access to bank accounts or other financial data.
|Stanford University Department of Computer Science|
PRODUCT: PwdHash (Password Hash)
DEVELOPERS: Stanford University professor John Mitchell, associate professor Dan Boneh and students Blake Ross, Collin Jackson and Nick Miyake
But some professors and students at Stanford University are taking a big bite out of this crime with Password Hash (PwdHash), a plug-in for popular Web browsers that prevents phishing sites from getting what they want.
"Internet users often use the same password at many Web sites," says Dan Boneh, an associate professor of computer science and electrical engineering at Stanford. "A phishing attack on one site will expose their passwords at many other sites."
By simply adding "@@" to the beginning of a password when registering on a Web site, PwdHash combines the user's password with the site's domain name in an algorithm that customizes a password for the user.
If a password is stolen from a malicious site, it won't work on the authentic site "although you typed in the same password," explains professor John Mitchell, who also led the team.
Although the idea of adding a cryptographic hash function to a password isn't new, Mitchell and his team have advanced the technology by making it easy enough for end users to apply. But the project wasn't always their top priority.
Three years ago, Secret Service agents visited Stanford's engineering and computer science department to seek help in combating financial crimes. "I asked them, 'If we were to solve one problem for you, what would it be?'" Their answer: Web spoofing, now known as phishing.
Stanford University professors Dan Boneh (left) and John Mitchell, developers of Password Hash.
Image Credit: Andy Freeberg
By the summer of 2003, they created SpoofGuard, software that detects fraudulent Web sites. In the process, developers hit on the idea of also modifying the passwords sent out from the user. And so PwdHash was born as a stand-alone piece.
The most difficult part was making PwdHash look easy. Some of the trickiest fake Web pages simply show an image or picture to indicate where to type a password instead of having "enter your password" written in text. "How would our software inside the browser know that the Web page is asking for their password? We had to know which data to apply this cryptographic hash to and which data to leave alone," Mitchell recalls.
That's when doctoral student Collin Jackson came up with the idea of adding the "@@" prefix to every password to tell the software which things are passwords and which aren't.
Today, the software is available for free, with versions for the Internet Explorer and Firefox browsers. Mitchell is trying to persuade major browser vendors to include PwdHash in upcoming releases.
"This type of technology definitely has legs," says David Jevans, chairman of the Anti-Phishing Working Group. "In the U.S., a lot of [Internet security work] is happening on the back end. But that's not going to be enough. The bad guys are always evolving."
Collett is a Computerworld contributing writer. Contact her at firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts