lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Mar 2014 19:08:54 +0000
From: Peter Maxwell <>
To: "" <>
Subject: Re: [PHC] New password hashing entry: PolyPassHash

On 25 March 2014 17:44, Justin Cappos <> wrote:

>>> Yes.  However, we can split this into two categories:
>> i. The situation whereby the attacker gains full access to memory and the
>> password database and takes the lot, in one go.  This isn't any good for
>> monitoring plaintext passwords as they are entered because there isn't a
>> persistent access.
>> ii. The attacker gains full and persistent access.  The exposure of
>> plaintext passwords will depend on length of compromise and the frequency
>> upon which users sign-in, i.e. it would be much worse, say, in a company's
>> internal network than your average web service.
>> For the most part, we're considering i.  Because with ii. it doesn't
>> matter how good the PHC winner is, the attacker has won anyway.
> Well, why assume memory is necessarily compromised for (i)?   Evidence
> shows this is usually not the case: (
>   [ Full
> disclosure, the second study was done by a student of mine.  ]

​I'm not saying it happens in every single attack, or even in most, what
I'm saying is in the event of memory being compromised you have two
potential scenarios.

What I'm really querying is whether your algorithm provides any significant
advantages over using a simple secret key in memory.​

>  So, for i., your scheme is security equivalent to the scheme of storing
>> a simple master key in memory.  Personally, I see measures of storing a
>> secret key in memory as part of a defense-in-depth approach as I'm
>> certainly not going to place all my bets on an attacker not compromising
>> memory -- the password hashes, in my view, must themselves provide adequate
>> security even when that secret key is compromised.
> Sure, but if memory is compromised with PolyPassHash, the attacker only
> gets the salted secure hash of passwords.   So, in the worst case you end
> up with security equivalent to the best case today.

​And similarly with most schemes that use a secret master key: the attacker
still must brute-force the password hashes.  The only difference is they
cannot even attempt to without the secret master key.​

> Thanks for all of the feedback by the way.   I was hoping this submission
> would be a bit of a curveball and generate some discussion / thought.
​Yeah, no worries - I like your idea, I'm just not sure how widely
applicable it is.​

Content of type "text/html" skipped

Powered by blists - more mailing lists