Blockchain-based protocol eliminates password breaches

821
Blockchain-based protocol eliminates password breaches

A non-profit foundation named Tide has created a protocol that practically eliminates brute-force password breaches.

Tide views their organization as a “not-for-profit, community-driven foundation creating a new global personal data economy”. 

As such, its primary focus is to develop “an overarching technology infrastructure that aims to give control of personal data back to the consumer.”

Password splintering

In an effort to vastly improve password protection, Tide’s Delegated Automated Trustee node technology “splinters” the encrypted password before distributing the pieces across a decentralized blockchain.

A password must be splintered among at least 20 nodes, with each network node being allocated a splinter. 

Fortunately, passwords can be recovered even if one or more network nodes go offline.

This splintering vastly complicates a hacker’s ability to crack even a single password, as only the node can decrypt and assemble the splinter.

Tide’s hacking challenge

This spring, Tide challenged hackers to break a single username/password combination in exchange for one bitcoin. The hackers failed despite more than 6 million attempts. 

Additional splintering tests were conducted by Tide to determine its full protective effect. 

Using a database of credentials harvested from a past LinkedIn breach, splintering prevented a successful “dictionary attack”  99.99928% of the time (even though such attacks are almost always successful). 

Tide's hacking challenge

Tide’s goals

Tide’s focus on password protection appears to be part of a larger goal, one that is related to personal data privacy and control.

“The Tide Protocol is intended to be a global standard to power a sustainable personal data ecosystem,” states co-founder Dominique Valladolid.

“It will help organizations maintain privacy compliance, mitigate risks posed from data breaches and improve their trust with consumers to do better business.

“It enables data seekers to access permissioned, highly-relevant and motivated audiences. Most importantly, it puts consumers in control of their data, who has access to it and why, and — if they agree to trade it — share in its monetization.”

Though not yet commercially available, “The splintering technology can be easily used in an almost identical manner to any of the existing OAuth2 authentication schemes and be integrated into any existing organization.”

Thus, businesses will be able to seamlessly integrate Tide’s password authentication protocol into their website. 

Documentation about the technology can be found on GitHub. According to Tide, this protective protocol will be released as open-source code and distributed for free.

Missing the point?

While not denying Tide’s protection against brute force attacks, security analysts note that accounts are typically compromised in less sophisticated ways.

For instance, the Capital One breach was predicated on generating temporary API tokens rather than passwords.

Likewise, Equifax was famously breached by a web application that hadn’t installed a security patch. 

Although Tide welcomes the attention, its new password protocol is merely part of a larger strategy to introduce a personal data economy.

“We believe personal data is everyone’s business and that (it) can ultimately make privacy profitable” notes Valladolid.