Announcing PureKit, a New SDK for Protecting Passwords and Sensitive Data in Storage

Rebecca YarbroughMarch 18th, 2019

Virgil Security is proud to announce PureKit, a developer tool for protecting passwords and sensitive data like PII stored in a database.

Pure stands for “Password and User Records Encryption” and is based on the PHE service (Password-Hardened Encryption). PureKit replaces password hashing with a more advanced solution that prevents brute-force attacks on passwords and sensitive data stored in the database, and allows developers to instantly render a stolen database useless without any inconvenience to the end users. The Virgil Security PureKit SDK makes implementing PHE’s advanced cryptography possible to the average developer and is also available through a free WordPress plugin.

Passwords are the weakest link

Death, taxes, and passwords. Despite their vulnerability to brute-force attacks, passwords are not going anywhere anytime soon. But according to the 10th edition of the Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged stolen and/or weak passwords.

Why? Many sites are still storing their user passwords in plaintext, which is unethical and negligent. And it’s not just the little guys. Some of the world’s largest sites are on this Plaintext Offenders list of sites that have not implemented even the simplest password security mechanism.

Hashing your passwords? They can be cracked with a simple dictionary attack in hours. Adding a salt? Fine, a brute force attack can take up to a week or two. For valuable data that can be sold on the dark web like healthcare records, it’s worth the effort.

But companies are on the hook if their databases are breached, especially if they’re operating in a regulated industry like healthcare and financial services. If user passwords aren’t going away anytime soon and the existing protections available to developers aren’t enough to protect those password records, that creates a problem.

How do hackers currently break into systems using passwords as the point of easiest entry? There are two common ways.

In the first scenario, the hacker attempts to log in to user accounts posing as that user, either after launching a dictionary attack to guess users’ passwords (which isn’t difficult when the most commonly used passwords are literally “123456” and “password”) or obtaining them elsewhere. In fact, in 2012 credentials for over 60 million Dropbox accounts were stolen because a Dropbox employee reused a password that had been used on another site that was breached. With Virgil PureKit, these dictionary attacks are not possible. Further, the crypto server functions as a rate-limiter, so illegitimate attempts to log into a user’s account will be blocked.

In the second scenario, an attacker penetrates a database with the decryption key stored in the database, downloads the database and decrypts it offline.

Virgil PureKit prevents both of these scenarios from being possible.

How does it work?

Hackers will now have to break into two different infrastructures simultaneously. Further, the setup allows seamless private keys & database records rotation on a regular basis or in case of data breach. Most significantly, users will not need to update their passwords even if there is a breach.

Having two parties protect user data makes it extremely difficult for hackers to gain access to it, as explained by the whitepaper authors, “With the help of an external crypto server, a service provider can recover the user data encrypted by PHE only when an end user supplies a correct password. PHE inherits the security features of password-hardening (Usenix Security ’15), adding protection for the user data. In particular, the crypto server does not learn any information about any user data. More importantly, both the crypto server and the service provider can rotate their secret keys, a proactive security mechanism mandated by the Payment Card Industry Data Security Standard (PCI DSS).”

Who should use it?

The PureKit SDK can be used with any password-based authentication scheme. WordPress site managers can use our free WordPress plugin for password protection (but not PII yet), and Virgil will be releasing easy-to-use tools for Passport.js and other common authentication systems soon.

Developers collecting and storing sensitive information can use PureKit to protect this data – and themselves – while complying with regulations like HIPAA, GDPR, and PCI DSS.

Security technology is always evolving, and yesterday’s practice salting and hashing or storing the key in your database is no longer acceptable. Developers now have access to better, stronger technology like PureKit that can better prevent data breaches.

Virgil Security believes data protection should be built on end-to-end principles. Modern technologies and new protocols like PHE allow us to build solutions for developers that protect their sensitive data from unauthorized access without requiring them to trust us in any way.

Just like we did for encrypted communication, Virgil Security has applied cryptographic principles to the protection of passwords. What used to be the weakest chain in a system is now the strongest.

Get Started

Want to see how it works? Sign up for a free Virgil Security account and then create a Pure app in the Virgil Dashboard. Learn more in the PureKit documentation here

PureKit is free during the initial release.

Passw0rd, the free, CLI tool will continue to be available, but does not come with service guarantees and is not recommended for production apps.

Join our Slack community to connect with the Virgil Security development team and learn more.

Virgil Security, Inc. builds developer toolkits that solve business problems by encrypting data and therefore lessening legal and compliance liability. Teams can secure their application data with end-to-end encryption, manage devices across a network, and secure passwords and PII in the database using Virgil’s suite of open source SDKs. To learn more, visit