lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Mar 2014 17:34:42 -0400
From: Justin Cappos <>
Cc: santiago torres <>
Subject: New password hashing entry: PolyPassHash

I would like to solicit the community's feedback about an submission to the
PHC called PolyPassHash.

This scheme is different than most PHC entries in that it uses a
threshold-based storage technique to prevent passwords from being
individually cracked.   To validate a password, one must recover a share in
a Shamir Secret Store, which necessitates knowing a threshold of correct
passwords.   (There are extensions to allow passwords to be securely
validated by a server upon setup and also to support accounts that do not
count toward the threshold.)

PolyPassHash gives an exponential increase in the search space an attacker
needs to explore while only increasing the server's time by a small linear
factor.   If you take the three passwords that are composed of six random
characters each and protect them with PolyPassHash, to search the key space
would take every computer on the planet working together longer than the
universe is estimated to have existed.   PolyPassHash is about as efficient
in terms of memory, disk, and CPU time as existing salted secure hash
techniques.   In fact, PolyPassHash is orthogonal to the secure hashing
technique and should integrate with (any?) other submission.

More information about the scheme (including both technical documentation
and information for a more general audience) is available at:

There is also a Python implementation available in that repository and a
link to the C implementation (by Santiago Torres) which will be submitted
to the contest.

I welcome any comments or feedback.


Content of type "text/html" skipped

Powered by blists - more mailing lists