The recent unraveling of the NSA snooping saga continues to shock the public, but also makes most security experts smirk. “Of course there is nothing private on the Web.” The issue of a government having access to private and specifically, encrypted information makes a lot of people uncomfortable. Having your house burglarized leaves a feeling of insecurity and vulnerability. Having your digital property “burglarized” is also an unpleasant experience. We trust that our homes are protected by locks and sophisticated alarm systems, while we also want our email, ecommerce and business accounts to be protected by equally sufficient security. Most websites encrypt user passwords and that was good enough for a long time. If we were all using computers with Intel 80286 processors, maybe that would still be the case. But having computers with faster and faster processors, cracking encryption is only a matter of time. In 2009 Colin Percival (PDF) estimated that an 8-bit character bcrypt password composed of only letters could be cracked for about $4 in hardware costs and it would take about a year. To crack the same password in one day the hardware cost would be approximately $1500. Using a longer password with special characters would increase hardware costs by an exponential factor. Yet last year, a security researcher showed that it is possible to process 348 billion NT LAN Manager password hashes every second by using five 4U servers with 25 AMD Radeon-powered GPUs. The system can break a 14 character Windows XP password in six minutes. Using this technique, they cracked 95% of the leaked 6.4 Linkedin password hashes.
Our SafeLogin product was conceived with this problem in mind. From the very start we wanted to safeguard our online and computer accounts with a system that would not disclose our password even if encryption was compromised. Also, graphic passwords are not shareable, as they don’t disclose the visual information, even if the encrypted information is hacked. NSA or other interested parties cannot reuse a password that does not contain alphanumeric characters. SafeLogin is, well, safe.
