Seeking to stem the proliferation of phishing scams, researchers at Stanford University have developed a simple stuff to prevent a stolen password from being used to access an authentic site.

Phishing is a form of criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. More on Wikipedia...

"Most of Internet users often use the same password at many sites," realizes Dan Boneh, an associate professor of computer science at Stanford. "A phishing attack on one site will expose their passwords at many other sites."

The Anti-Phishing Working Group identified nearly 12,000 malicious phishing sites in May 2006, up from 3,300 sites just one year earlier.

The technique, known as Password Hash, simply consists in adding "@@" at the beginning of your password, to indicate to the software that you're typing a password. Then the software does its job: combine your password to the site's domain name thanks to cryptography. Then the password really provided to the website is not the one you typed and if it is stolen, it won't work on the authentic website.

Adding a cryptographic hash is not a new idea, but the novel part of the researchers' work was to make it so easy for end users (us) to apply. Indeed, one can find PwdHash as an add-on for Firefox, or as a plugin for Internet Explorer 6. The official website is here.


Source: ComputerWorld, last week.