lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 2 Dec 2014 16:06:08 -0500
From: Santiago Torres <>
Subject: New version of PolyPasswordHasher (PolyPassHash).

Hello everyone,

We are submitting an updated version of PolyPassHash (we now call it
PolyPasswordHasher). In this new version, we changed terminology to
better convey the meaning of some concepts (e.g., thresholdless accounts
are now called shielded accounts). We also added some features to the
algorithm based on the feedback we got in the mailing list some months

    1) We added alarm code to notify the administrators of a collision
    in the partial bytes field (now called isolated validation field).
    If an attacker is able to find a collision and the server has
    finished unlocking (we call this bootstrapping now), the complete
    hash might mismatch (if the password is incorrect) and the admin
    is notified than an attacker has almost certainly stolen the database.

    2) We increased the time for an operation which is more frequently
    performed by the attacker than the server.  The bottleneck in offline
    cracking is in verifying that secret recombination was successful.  The
    attacker performs this operation for every set of protector (threshold)
    account guesses.  However, this operation only needs to be performed once
    by a server (when transitioning to normal operation).  To increase the
    resistance to offline cracking, we use many iterations of the secret
    integrity check to increase this time this operation takes. Since this hash
    needs to be calculated each time an attacker wants to verify a guess and
    the server only runs this once after reboot, this dramatically increases
    the attacker's effort without impacting server performance.

    3) Similarly, to better address concerns on the partial validation field
    (see the PPH is broken thread), we added key stretching to our default
    implementation.  While this cost requires the same factor of effort from an
    attacker and the server, this is a cost that only affects the server during
    bootstrapping.  Thus a server only incurs this cost some of the time.

We appreciate the feedback from the community on our previous submission.
We welcome comments and insight on this new version.


Download attachment "polypasshash-v1.tar.gz" of type "application/octet-stream" (1971273 bytes)

Powered by blists - more mailing lists