BALTIMORE -- A new tool to combat the rise of phishing attacks is a browser plug-in that provides a cryptographic hash function to plaintext passwords and other Web site data on the client side of the network equation. This new browser extension is especially useful for those who tend to reuse the same password on different sites, be it their blog or online banking.
Cybercriminals have long exploited problems associated with the proliferation of passwords. Namely, they know users tend to store the secret passcodes in an insecure spot or reuse the same ones to keep things manageable. In the latter instance, attackers need only access passwords on low-security sites to then illegally access high-risk sites, such as financial institutions', using the swiped passwords. PwdHash, created by computer scientists at Palo Alto, Calif.-based Stanford University, provides customized passwords using primarily SSL without any server changes and little to no change in the user experience.
"Since the users who fall victim to many
common attacks are technically unsophisticated, our techniques are designed to transparently provide novice users with the benefits of password practices that are otherwise only feasible for security experts," the authors write in an academic paper discussed during the recent Usenix Security Symposium in Baltimore. For enterprise security administrators and managers, the plug-ins could reduce help desk calls and provide stronger authentication without the use of hardware tokens or client certificates -- both popular options for multi-factor authentication to combat phishing attacks.
As the research paper explains, the password hashing method is simple: "Rather than send the user's cleartext password to a remote site, we send a hash value derived from the user's password, pwd, and the site domain name." The hash derives from a Pseudo Random Function keyed by the password. "This technique deters password phishing since the password received at a phishing site is not useful at any other domain."
Depending on the browser, a new toolbar or icon will display a green traffic light when the extension is in password-protection mode and a red light when passwords are at risk. The idea is to alert novice users to be more security conscious. However, a potential drawback is a sophisticated attack that spoofs the traffic light itself. That may be more difficult at Windows XP shops that have installed Service Pack 2, which no longer allows pop-ups to be created outside Internet Explorer's content area.
Another potential weakness is that PwdHash uses a well-known hash function that a phishing site could use to launch an offline dictionary attack and gain the password. Other limitations involve a company's security policies, which often deny the type of privileges needed to install PwdHash on individuals' desktops. In this case, a special Web page can generate hashed passwords for those "roaming" within an office, an airport or Internet cafÉ or even a residence.
The authors emphasized that PwdHash won't help against keyloggers and other insidious spyware already implanted in a PC. Future research will involve placing a mechanism in the OS kernel or a protected Virtual Machine to embed hashed versions of passwords directly into outgoing HTTP requests.
Thus far, five user studies have yielded promising results. In each case, users were presented a fake eBay site and took the bait. But the phishing page could not read their eBay passwords when PwdHash was engaged. Most of the gullible were unaware anything was even amiss.
The extension and source code are available at the PwdHash site.