"Researchers at New York University have devised a new scheme called PolyPassHash
for storing password hash data so that passwords cannot be individually
cracked by an attacker. Instead of a password hash being stored
directly in the database, the information is used to encode a share in a
Shamir Secret Store (technical details PDF).
This means that a password cannot be validated without recovering a
threshold of shares, thus an attacker must crack groups of passwords
together. The solution is fast, easy to implement (with C and Python
implementations available), requires no changes to clients, and makes a
huge difference in practice.
To put the security difference into
perspective, three random 6 character passwords that are stored using
standard salted secure hashes can be cracked by a laptop in an hour.
With a PolyPassHash store, it would take every computer on the planet
longer to crack these passwords than the universe is estimated to exist.
With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."
No comments:
Post a Comment