New encryption method called ‘Splintering’ makes password hacking 14 million percent more challenging

• passwords that were previously breached and determined that splintering reduced the odds of a successful dictionary attack from 100% to 0.00072%.
• Splintering allows up to 30% redundancy, which means that the splintered passwords can be fully reassembled even if up to 6 nodes storing the splinters were to become unavailable for some reason.

What’s the matter?

Researchers at Tide have developed a new technique dubbed ‘Splintering’ to protect usernames and passwords. They claim that Splintering is 14 million percent more difficult to hack when compared to other techniques.

“This technique makes it tremendously more difficult to reconstruct one complete password, let alone all the passwords, using either reverse engineering or common brute force attack methods,” researchers said. Tide is a non-profit foundation focusing on building data privacy focused technologies.

How does this technique work?

Researchers at Tide have implemented the new splintering technique in Tide Protocol. This technique takes encrypted passwords within an authentication system, breaks them up into multiple splinters or fragments, and stores them on a decentralized distributed network from where they can be reassembled when required.

• The number of splinters that each encrypted password is broken up depends upon the desired cryptographic strength and the organization’s requirements.
• The minimum number of splinters is 20 nodes.
• Each node is assigned to a splinter and can be assembled when requested.
• Only the node assigned to a splinter can decrypt and assemble the splinter.

Key findings

Tide researchers tested the splintering technology against 60 million LinkedIn passwords that were previously breached.

• The test revealed that splintering reduced the odds of a successful dictionary attack from 100% to 0.00072%, which is a 14 million percent improvement.
• Splintering allows up to 30% redundancy, which means that the splintered passwords can be fully reassembled even if up to 6 nodes storing the splinters were to become unavailable for some reason.
• End-to-end latency results showed that the splintering process takes between 1,500 milliseconds to 4,000 milliseconds with a full complement of nodes across Microsoft Azure, Google, and Amazon networks.

Tide has introduced an intentional built-in 300-millisecond delay for each authentication request to mitigate brute-force and denial-of-service attacks on the network. Despite this, the latency result proved that the latencies associated with the splintering process are better than existing commonly used authentication methods.

“The splintering technology can be easily used in an almost identical manner to any of the existing OAuth2 authentication schemes and be integrated into any existing organization,” researchers said.

View full article