lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 08:43:34 -0400
From: Justin Cappos <jcappos@....edu>
To: discussions <discussions@...sword-hashing.net>
Cc: polypasswordhasher-dev <polypasswordhasher-dev@...glegroups.com>
Subject: Re: [PHC] Re: [SPAM] [PHC] Password hashing by itself is not enough

On Fri, Mar 13, 2015 at 12:41 AM, Jeremy Spilman <jeremy@...link.co> wrote:

>  On Thu, 12 Mar 2015 21:19:00 -0700, Bill Cox <waywardgeek@...il.com>
> wrote:
>
> If the recent 10-million-combos.zip file that was posted with 10 million
> user/password combinations is representative of user behavior, then a 5
> million entry dictionary will contain over half of all user's passwords.
> The first half of this file has over half of the passwords repeated in the
> second half.
>
>
> Hashing defense is latency cost multiplied by password complexity. You
> need both the latency to be high on adversary hardware, and the password
> complexity to be high, before you can defend against a targeted offline
> attack.
>

That's an assumption that many people make, but it isn't actually true if
you interrelate password hashes so they need to be checked together (as we
did in the PolyPasswordHasher scheme). Multiple passwords protect a secret
that obscures all of the hashes.  This makes it so that groups of passwords
must be checked together and all must be correct to learn if any were
correct.   By forcing an attacker to guess many passwords simultaneously,
even if you have an attacker that knows a list of all passwords, but
doesn't know the distribution, the time to crack passwords is substantial.
 (Note: I'm assuming the ICB technique from the paper is turned off for
this discussion / analysis.)

For example, suppose you create a password database with all of the RockYou
passwords.  Also, suppose a strong attacker model where the attacker knows
the exact set of chosen passwords, but doesn't know which user chose each
password.  Thus, they know the password 'letmein' appears thousands of
times, but they do not know for which accounts.  Even with this it will
take millions of years of CPU time to guess a correct set of 5 passwords,
since they must simultaneously guess all passwords correctly before knowing
if any are right or wrong.

Thanks,
Justin

Content of type "text/html" skipped

Powered by blists - more mailing lists