PORTLAND, Ore. Arguably the biggest security gap on today's networks are passwords, prompting government agencies to mandate regularly changing 15-character passwords with random upper- and lower-case characters, numbers and the occasional punctuation mark. Besides being extremely difficult to remember, the approach also requires users to generate secure passwords--a task that pits casual users against the skills of highly trained hackers.
Breaches like the recently publicized Google hack in China only served to illustrate the extent of network security problems.
Now a security expert has received patent on a solution to the password dilemma, which he calls Password Booster. The USB device the size of a flash drive boosts a simple "seed" password--like your cat's name--into a "super password" with 15-characters that meets stringent government network security requirements.
The patented technology will be licensed to a manufacturer through an auction this summer.
"We want to license the Password Booster to a major manufacturer who can handle the volume we anticipate because the market for secure passwords has expanded to include almost anyone using a computer," said JoAnne Leff of J. L. Associates (New York), which will be handling the licensing deals.
Other USB-based devices exist for remembering passwords, including the ChipDrive MyKey from SCM Microsystems (Ismaning, Germany). That device stores passwords on a secure flash memory accessible with a PIN.
Password Booster inventor Kenneth Clubb claims that any device that stores your password can be hacked while plugged into a computer, or if lost. Clubb claims Password Booster is immune to hacking.
The device doesn't require a PIN or master password, he said, adding that it bypasses those steps. "Even if you lose your Password Booster, there is nothing to hack, because the passwords are not stored on it."
Two-factor authentication is usually based on a device like an entry card and matching security code, both of which you must be presented during authentication. For the Password Booster, the two factors are the "seed" password and the Password Booster USB device. Since the system transforms a seed password into a super password, without storing either, it is said to be able to foil hackers if they manage to break into the device.
The device works by emulating a USB keyboard. When plugged into a computer, it performs keyboard operations. When a password is typed, the user types a seed into the input field on their computer screen and plugs in the Power Booster. Users then hit a "boost" button on the device, which moves the cursor to the beginning of the input field, types random alphanumeric characters, then moves character by character through the seed inserting random characters until a 15-character password is constructed in the input field.
The scheme means the password device does not contain the seed or the super password, both of which only exist briefly in the input field, at which point they are erased by the application that requested them.
The patented approach may also work with flash drives, cell phones, iPods and other handheld devices. It also could be adapted to future wireless, USB-based computers.
New devices Clubb is currently designing would seek to solve two similar security problems: piracy in online gaming (where users share passwords with each other to avoid paying for multiple accounts) and preventing phishing for passwords used in online banking accounts.