Password Protect™ is a secure password storage and authentication appliance that stops the theft of password databases from bulk storage. The hardware appliance replaces conventional software authentication repositories which are vulnerable to remote attacks by hackers.
Passwords can be stored against a user name, and tested against a user name but you can never read out the password associated with a user name. At least that is our claim!
The hardware architecture is a radical departure from conventional identity storage solutions and would have prevented the eBay, LinkedIn, kickStarter and many other bulk password thefts - dead!
The Password Protect challenge is an open beta that is intended to exercise the technology and to validate our claims that credentials cannot be stolen from the appliance.
The challenge is not about breaking encryption because there isn't any to break. It is about stealing plain text usernames and passwords. How hard can that be right?
If you would like to test Password Protect under our closed Beta programme then please contact us.
The challenge arena comprises a number of authentication appliances behind a server load balancer. The appliances can be accessed directly or via this challenge website.
Using the challenge website you can easily explore the capabilities of Password Protect without having to write any code. You can perform common operations such as login, register an account or change a password. A 'raw mode' is provided which allows you to send bespoke commands or launch attacks from your web browser.
Alternatively you can perform penetration testing on Password Protect directly by writing your own connection scripts that open sockets and send TCP packets to the server. See the developer page for sample PHP and Python code.
In a real deployment the Password Protect appliance will not be "naked on the Internet" as it is in this challenge. We have stripped out the cryptographic protection and stripped out IP filtering. We have not hooked up denial of service protection because that is not the point of the challenge. We take denial of service as an admission of defeat and will publicise it as such.
* Terms and conditions apply.