Those smart folks working at Security Research in the University of Cambridge Computer Labs have developed a hardware device which promises to protect you from password leaks.
That's a big promise so does it stack up?
Cambridge University's Dn Cvreck informs us on his blog that their hardware device works by storing a secret key on the hardware that never leaves the device.
This key is used to further enhance the passwords stored in the database using HMAC (SHA1) against those passwords. The prototype currently works on a Raspberry PI and can be accessed via a RESTful interface.
One problem is that throughput is currently quite limited so a single dongle can only support around 10,000 users but clustering the device will improve throughput.
The theory is, so long as the private key remains secret then the database is more secure and this will be true so long as no physical access is made available to the dongle. Not an unfair requirement.
A weakness of the system is that you can use a known password to work out what the HMAC used against all the passwords are. How do you obtain a known password? Simply create yourself an account on the system.
This system isn't a panacea but it can at least add another level of inconvenience to the determined hacker.