NYU Group Says Its Scheme Makes Cracking Individual Passwords Impossible

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

Hmm

[war4peace]

Maybe I should look at this implementation for my upcoming MMO, which will likely go live somewhere in 2030 :)

Re:Hmm

[davester666]

don't bother. by then we will have been conditioned to believe that we should have no privacy, so everything is available to everyone.

as well, implementing this will reduce profits by more than a nickle, therefore it isn't cost effective.

Re:Hmm

[osu-neko]

Maybe I should look at this implementation for my upcoming MMO, which will likely go live somewhere in 2030 :)

But getting three random passwords for an MMO is easy. Just send out three emails to users claiming they've been caught selling gold...

WTF?

[JMZero]

To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password. And it didn't take all the computers in the universe forever to do so.

Maybe this is a great system, but the hyperbole in the summary is ridiculous.

Re:WTF?

[pastafazou]

Posit: An infinite number of monkeys on an infinite number of keyboards will eventually crack all your passwords.

Re:WTF?

[CastIronStove]

Instantly, since all possible combinations will occur simultaneously.

Re:WTF?

[Geoffrey.landis]

To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password.

No, as I understand it from the article, you can't tell if a single user password is correct, because you don't have a measure for "correct"-- all that you check whether that password points to the same place (in a multidimensional phase space) that other passwords project to. (It does seems to only work is you can assuming that all, or at least "most," of the other passwords people enter are correct).

Re:WTF?

This article is a bit strange. The security seems to be from the hash side, not the password side. Can still brute force / exploit with password guessing, but can't guess the password from the has.

I'm just trying to garner from the summary if a "threshold of shares" is required to be met to authenticate on the system.

Re:WTF?

[g0bshiTe]

I call it, "Monkey Improbability Hacking".

I'll lease it to you for the low low price of .0000024 btc

Re:WTF?

Monkey-bias might prevent an instant crack. Monkey input might be biased - as a function of their neural network connections - towards, say bananas.

Re:WTF?

[Chris+Mattern]

So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords).

No, it doesn't work that way; that's the whole point. If you have the hash and are trying to compare against it, you can't just try all the possible passwords because if haven't cracked the other passwords you don't know how to produce the hash that corresponds to a given password. If you're just trying passwords at a login prompt, brute force is trivial to defeat (best method will most likely be simply imposing an increasing login delay with each wrong attempt).

Re:WTF?

[Rhaban]

To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password.

No, as I understand it from the article, you can't tell if a single user password is correct, because you don't have a measure for "correct"-- all that you check whether that password points to the same place (in a multidimensional phase space) that other passwords project to. (It does seems to only work is you can assuming that all, or at least "most," of the other passwords people enter are correct).

So... how do you know if a user can log in? You have to wait until a bunch of users want to log in simultaneously?

Re:WTF?

[parallel_prankster]

Yes, did you RTFA? They specifically mention that this step is needed everytime the system boots. They have also provided some ideas on how to achieve this automatically.

Re:WTF?

[Sqr(twg)]

The point here is that you cannot test a single password. You must test, say three, at a time. (So you'd have to try all combinations of 18 characters in this case.)

The downside of the method is that after a server reboot you will have to wait for three trusted people to log in before you can authenticate any of them (unless you also have a weaker system to use for the first few logins.)

Re:WTF?

Wouldn't an infinite number of monkeys on an infinite keyboards INSTANTLY crack all of your passwords? Or at least as long as it takes them to type the keyboard? Since among the infinite number of them, one of them has to have the correct password.

Re:WTF?

[JMZero]

Yeah - I was wrong. I had assumed that the system would need to be able to log in a single user based on their password (crazy me!) and that was incorrect.

Re:WTF?

[khasim]

More like you have the hashes for all the passwords (you downloaded it when you cracked their server).

And you have ONE password that you created on their system. So you have a password and a hash for that password. From which you can probably deduce the "salt" used.

But you cannot get the passwords from the other hashes because they each use a different "salt".

The problem is that the "salt" for each password is calculated by that machine based upon "special" accounts providing correct passwords that provide the information needed to generate the line that is used instead of a traditional "salt".

Which means that those "special" accounts are now ONE SET of keys to cracking that entire system. And they have to be secured.

And I'm still not convinced that, given enough passwords, their system does not fail anyway. And password re-use is a major problem with users and their passwords.

Re:WTF?

[donaldm]

Actually if a cracker wanted to get a user's password all they need to do is contact the target in a so called official manner stating that they think that their account has been compromised and they need their password to check. Surprisingly many people would actually fall for this so a cracker would prefer to use social engineering to get a password rather than try the brute force method which would normally raise alarm bells with System Administrators. Of course this assumes that the System Administrators of a targeted machine have some level of competence and integrity.

Actually brute force cracking is the stuff of Hollywood movies since most operating systems have a policy that is set to 3 or 4 strikes and the account is locked. Although I have seen sites were this was not enforced. Of course there are ways of restricting access even further such as one time passwords but the problem of security is still the weakest link in the chain and that is the user.

Maybe this is a great system, but the hyperbole in the summary is ridiculous.

Could not agree more.

Re:WTF?

What is to stop an infinite number of monkeys from all typing the same thing?

Re:WTF?

Even if all of them typed the same thing the rest of them would type the other combinations.

Re:WTF?

[Connie_Lingus]

they already have...an infinite numbers of times.

Re:WTF?

[Bengie]

and needs to do so reasonably efficiently

If you're using bcrypt or some other stretcher, the last thing you're thinking about is efficiency. The whole point of a stretcher is to be inefficient.

Re:WTF?

you're my hero.

Re:WTF?

but none of them could type it instantly.

Re:WTF?

Nope, it takes a linear time relative to password length if the keyboards don't have an infinite number of keys. If the password length is 12 characters, no monkey has cracked the password before at least one has typed all 12. Even if every monkey has typed 11 keys, none has typed the full password yet.

Re:WTF?

[Jack9]

> The downside of the method is that after a server reboot you will have to wait for three trusted people to log in before you can authenticate any of them

Or automate 3+X system-known accounts that the system randomly logs into, as part of the bootup process?

Re:WTF?

[Kjella]

Does it come with an actual monkey? I wouldn't want to end up with an MSCE or some other poor substitute, monkeys are both cuter and put less shit on your servers. Of course both could be replaced by a very small shell script. but I need one for the head count and scripts run headless so that won't do.

Re:WTF?

[kasperd]

So... how do you know if a user can log in? You have to wait until a bunch of users want to log in simultaneously?

Exactly. The first of those users will experience the password validation taking longer than usual. How much longer depends on various parameters in the system. If some of the users gave up and closed the connection, you still have the information needed for unlocking, so you don't need all of those users to log in simultaneously. You just need enough different users trying to log in after a restart. Once the threshold is reached, that user will get logged in after having to wait at most a couple of seconds. Earlier users will get logged in at the same time if they are still waiting.

But I suspect you might be able to DoS that process by just submitting a stream of invalid passwords. They may be able to avoid that through the partial validation described in the paper, but the partial validation sounds like it leaks so much information, I would rather trust an old-school salted hash.

Re:WTF?

Bias notwithstanding, infinity might be bigger than you think. Still, no monkey can type anything "instantly" so there is a certain minimum amount of time depending on password length you'll have to wait until some monkey can type it.

Re:WTF?

[Cenan]

Hook the keyboards up in parallel and combine all the inputs to produce infinite outputs and you get instant monkey cracking. Thought now you're stuck with infinite monkeys with nothing to do.

Re:WTF?

[Cenan]

There is nothing to suggest that an infinite amount of monkeys wont produce an infinite amount of "a"s. Adding more monkeys could produce more "a"s.

Re:WTF?

[Lumpy]

Plus the monkeys smell better.

Re:WTF?

That's okay. There's more where they came from.

Re:WTF?

[Zontar+The+Mindless]

Somebody actually gets what "infinite" actually means.

Perhaps there is hope for the human race, after all.

Re:WTF?

Your criticism is invalid even before introducing some new hashing scheme.

1) You assume that the attacker knows that the password is 6 characters rather than 4 or 11 or 83 characters. The attacker has to try many different lengths and can't just focus on the 6 character ones.
2) Almost all serious systems trigger a temporary delaying lockout after multiple failures that introduces a time delay that makes the speed of brute-force attacks limited by the lockout duration rather than the speed of the attacker's CPU.

The second one doesn't apply if you have the hash file, but that's not really what you suggested.

Re:WTF?

[PRMan]

If you limit people to 3-5 guesses through the interface, then how are they going to hack it?

Re:WTF?

[PRMan]

No, because most of them would get network errors.

Re:WTF?

Right and you can keep a small # of hash bits in the database (say the las 16 of a sha256) to throw out most incorrect logins during that time. Each byte of data an attacker has decreases password security by 1.22 characters. So you just need need to add 3 characters onto your password policy for counteract the effect.

  But if you're facebook you don't want to just trust any account. It may be that your sysadmin accounts use the shamir share and the rest are secured by being encrypted on disk. For the share to really give you security you need a huge number of shares, or only link shares to accounts of people with verified identity and that are unlikely to give thier password to attackers or make it easy for attackers to find out.

Even if the attacker figures out enough passwords to complete the shared secret, all the passwords are still protected with your old-school salted hash.

Re:WTF?

Even if there is no hope for the human race I have it from good sources that there are plenty of monkeys to choose from.

Re:WTF?

[JerryLove]

Unfortunately: They created infinite heat from their work and basically destroyed the universe.

Re:WTF?

[JerryLove]

It is an absolute certainty that an infinite amount of monkeys would type an infinite amount of "a"s on their first keystroke. They would also type an infinite number of all other characters on their first keystroke.

There's a classic story. A building with infinite rooms has infinite people filling it and you want to add infinity more. All you do is have everyone move to the room with double their current room-number, freeing up an infinite number of odd numbered rooms. Mind you: some will have an infinitely long move ahead of them.

Re:WTF?

[JMZero]

Well, the starting point for this kind of discussion (and the reason you'd use a system like this) is "they've stolen the database and they know how the hash algorithm works". This system is to prevent you from getting passwords out from here by making them more difficult to brute force (and they can't exactly stop you from trying more passwords after you have the database).

They do this by having an effective key that isn't stored in the database and is required for authentication, but is instead reconstructed based on a number of logins (and those logins don't "work" until there's a quorum). Like my post suggested, with something like this you have to pick between "can you authenticate a user" and "can you prevent a brute force attack on short passwords". I assumed they picked the former, but they actually picked the latter - using this system you can't just authenticate a single user on a newly rebooted system.

Anyway, it's a cool thing, but I think there's practical problems.

Re:WTF?

So he created a very secure system, one that doesn't let anyone sign in by themselves.

Buddy system everyone, buddy system.

Re:WTF?

[pushing-robot]

That was a flaw with early experiments, but we've since worked it out. With our updated business model, we only provide you with one monkey and typewriter in this universe. At the same time, in each of infinite parallel universes, the parallel 'we' give the parallel 'you' a monkey and typewriter as well. Each typewriter is equipped with a lovingly crafted and painstakingly entangled transceiver to broadcast and monitor an infinity of random typing, listening and waiting for your answer to ephemerally cross its antenna.

Great news! It's statistically certain that one of the infinite monkeys has already typed the answer you seek. However, due to information propagation delays, it may take between zero and infinite time to reach your universe. Rest assured, though, it's on its way. While you wait, please enjoy your monkey. And typewriter.

Thank you for your business!

Re:WTF?

[Assmasher]

I just started reading the paper on this but I think it is more a mechanism to protect a database full of passwords from being cracked by encrypting the DB in such a way that you need to know multiple logins to in order to map the attempted login into a mathematical space (sorry for the poor description.) Basically, trying to prevent the ability to test against the stolen password database offline; meaning, you can only brute force passwords by going through the system that was able to decrypt the database, which means you can introduce all kinds of time lapses, account lockouts, et cetera.)

Then again, I may be talking out of my a**...

Re:WTF?

[JMZero]

Yes, that is the point. My point, in turn, was that you can't do what they describe while still being able to log in a single user.

The surprising resolution to this little dilemma (as discussed in other posts) is that they can't log in a single user (they need kind of a quorum of login attempts before a newly rebooted server can actually log someone in). This wasn't what I expected, so my first post there is kind of misleading (because I was, in turn, mislead by the summary).

Re:WTF?

[Karganeth]

Not instantly. Monkeys don't type infinitely fast. It would still take time for each monkey's key press.

Re:WTF?

There is nothing to suggest that an infinite amount of monkeys wont produce an infinite amount of "a"s. Adding more monkeys could produce more "a"s.

The closest representation of an infinite amount of monkeys with typewriters would be the internet.
So far it have not produced an infinite amount of "a"s but it has managed to type most of the passwords that exists.

Re:WTF?

but the partial validation sounds like it leaks so much information, I would rather trust an old-school salted hash.

An old-school salted hash == partial verification for the whole entry. So the old-school solution is strictly worse than this.

Re:WTF?

[Smurf]

Yes, did you RTFA? They specifically mention (...)

You must be new here.

Re:WTF?

[Cenan]

Well, to be fair, most of the passwords that exist are all variants of 12345. Also, several and very many is not infinite. The amount of work put into the Internet might be quite large, but it is still finite.

Re:WTF?

[Lost+Race]

If every monkey just sits there typing 123456 over and over, they will only ever crack half the users' passwords.

Re:WTF?

[kasperd]

An old-school salted hash == partial verification for the whole entry. So the old-school solution is strictly worse than this.

You are right. I misunderstood that detail the first time around. The two bytes, which are leaked, are not two bytes of the password, but rather two bytes of the salted hash.

An attacker could still utilize those two bytes to perform an offline attack to reduce the length of a dictionary by a factor of 65536, followed by online attempts at logging in using this much shorter dictionary. However the article did mention how that attack can be detected by the server side.

Re:WTF?

[delt0r]

In fact there is an easier way. The attacker can just make sure he/she has k accounts on the server before stealing the password file.

I like the idea however, and its never worse than a salt/hash system.

Re:WTF?

[ghee22]

Our market research shows that our users prefer cats. Can you switch the monkeys to cats?

Re:WTF?

[lonecrow]

As far as I understand things there is a big difference between solving a hash in isolation compared to actually attempting to use the password on the system in question. So your comment would make sense only if the system in question would allow you to actual try all those other passwords on the system without locking you out. What system in the world would allow you to attempt a million logins before locking you out?

Re:WTF?

[JMZero]

Well, the starting point for this discussion a discussion like this is "the attacker has access to the hashed passwords and they understand our hashing algorithm, are they able to recover the passwords". Nobody is talking about attempting a million logins through their interface.

Rather, my comment was just stating the obvious - if you are capable of logging in a single user based on the information at rest, then an attacker can use that same test, with the same information, in a brute force attack on a short password.

Their actual solution, which I didn't realize when I wrote my first comment there, is that their system can't just validate a single user.

Re:WTF?

[lonecrow]

you can just try all possible passwords

I guess I just misunderstood this sentence.

Re:WTF?

They probably would type in the same combinations and prove after all it is done "monkey see, monkey do" is a valid statement.

Re:WTF?

There may be multiple infinite amounts of monkeys, but "all" is definite, its subset is an empty set, so it does not allow any "rest".
And nobody understands infinity, nor ever will.

bullshit

bullshit; if you can verify the password then you just copy the entire system for verification and try each variation through it . if you can't then the entire system is useless .

How many times ...

... must we reference this to prove that your passwords are still weak? http://xkcd.com/538/

Re:How many times ...

[kasperd]

The real question you should be asking is. How many times do you have to reference it before it turns true? In the real world people getting unauthorized access due to weak passwords happen a lot more often than any body getting tortured to hand out their password.

This idea is really BS

[gweihir]

This scheme fails in practice (another over-hyped idea that fails to deliver as has gotten so common these days): It requires a number n of users to log-in before any password can be checked! That is right, the first n-1 have to wait until n are there, because before n good (!) passwords are available to the server, it cannot verify even one. Unfortunately, n is also the security gain. That means if you require 10 different login-attempts before you can login anybody, you just get a factor of 10 in additional security. And then there is the little problem that an attacker that gets root-access to the running system does not suffer this slowdown, as they can just read the secret the system computes from the first n passwords from its main memory.

Whoever dreamed up this hare-brained idiocy has no experience with real systems or system security. Sane people will stay with salting and stretching, ideally with scrypt() to neutralize GPUs.

Re:This idea is really BS

This scheme fails in practice (another over-hyped idea that fails to deliver as has gotten so common these days): It requires a number n of users to log-in before any password can be checked! That is right, the first n-1 have to wait until n are there, because before n good (!) passwords are available to the server, it cannot verify even one.

You must have skipped reading TFA. The "different" logins can be administrative passwords, so that whenever a login is attempted, the user passwords is only one of multiple passwords, where the other passwords can be administrative passwords. The point is to make the password file, when stolen, be safer. If you do not have aceess to the administrative passwords, the cracking of the passwords from the stolen file gets too computationally intensive.

Re:This idea is really BS

[mstefanro]

Plus, for most websites, you can just register 10 accounts, giving you the 10 known passwords.

In any case, the treat model is that you can access all the data in the db, but not all the data in memory (as
is the case with SQL injection and most other attacks). The
memory is used to cache the first n-1 passwords. The n-th guy needs to wait only after the system crashes
and the cache data is lost.

But in such a treat model, the problem can be solved in a way simpler fashion: just store in memory a key
with which all the hashes are encrypted. Write the key down on a piece of paper. If the machine crashes,
just reload the key from the paper into the server's ram.

And this is the only threat model you can work on anyway: if you assume the attacker gets root,
then there's obviously not much security to preserve. This is why authentication should be interactive (
EKE protocols).

Re:This idea is really BS

[Copid]

It requires a number n of users to log-in before any password can be checked! That is right, the first n-1 have to wait until n are there, because before n good (!) passwords are available to the server, it cannot verify even one.

It would be interesting to know what the dynamics are of password database size vs login frequency. A lot of systems get huge numbers of login requests in very short timeframes, so it may not be a problem for them. But the flip side is that user bases that huge often have large numbers of weak passwords floating around, so the hit rate for a password cracker would be much higher. I certainly wouldn't use it for any of the piddly little systems I put together, but larger sites may have better luck (or just have a bunch of different admins log in when they reboot a server).

That means if you require 10 different login-attempts before you can login anybody, you just get a factor of 10 in additional security.

What do you mean by a factor of 10, exactly? If your threshold is 10, you don't get any feedback on whether you got a password right until you get 10 passwords right, so it's a factor of 10 in effective password "length" but substantially more than that in work time. That's potentially a pretty big win.

And then there is the little problem that an attacker that gets root-access to the running system does not suffer this slowdown, as they can just read the secret the system computes from the first n passwords from its main memory.

They note in the paper that the "root access to the server and read from memory" problem is not one that this system is designed to solve. In fact, it's really not one that any system can solve. If anybody ever solves the "letting somebody have the information without actually letting them have any information" problem, we'll know about very quickly as DRM schemes that actually work will start to appear.

Re:This idea is really BS

[RKThoadan]

While I'm not necessarily all that impressed by this, your specific criticism doesn't seem to be valid. It appears that n accounts are pre-created with null information and assigned out as needed. When those are about to get used up another n are created. There would appear to be a possible attack on a new account by creating lots of dummy accounts to have a big chunk of the password space under your control, but that seems like a pretty uncommon circumstance.

What I like about it is that it seems to protect stupid users from themselves. All the salt in the world doesn't do much for people who just use "password" for their password. It will still fall in the blink of an eye. We often seem to have the opinion that they deserve it for choosing a poor password, but it's still a compromised account.

The threat model is very limited to "attacker got the password hashes", but that is a common threat currently. If you're going to pick one, that's not a bad choice. It's biggest issue may be if tomorrows threat model is significantly different.

Re:This idea is really BS

Talk about silly requirements: if an attacker can read your secret from memory being root, you have already been hacked. You could as well replace the binary on the system with a version which dumps the raw data to a /tmp file. Or if the program is likely using dynamic libraries, replace the system library with one which logs all secrets.

Unless you want to sell us now your tested "secure-in-practice-method" to prevent a root user from being able to do what root does, please spare us the negative silliness.

Re:This idea is really BS

[tepples]

Good luck contacting the administrators every time you have to reboot any of the servers, especially if it's night in their time zone.

Re:This idea is really BS

[Hognoxious]

Get them to write their passwords on a post-it(tm) note and stick it to the server.

Do I have to do all the thinking around here?

Re:This idea is really BS

[gweihir]

That completely breaks security, as these passwords have to come from some place and are vulnerable there. Or it means that a large number of people (remember that it requires n users for a security-factor of n?) have to log-in (or rather attempt to) manually.

Sorry, but you do not understand the security and attacker models at work here at all. Sure, this thing looks like a good idea, but only as long as you ignore reality. And BTW, whenever has a server password-list stolen from a not-running server or at boot-time?

Re:This idea is really BS

[gweihir]

Indeed!

As for root on the machine: Password hashes (properly stretched and salted) protect only the users that do not log-in while the machine is rooted, but these they do protect well. As password-stealing for large password files usually gets noticed pretty soon and often before the password file is completely stolen, this does offer some level of protection.

Re:This idea is really BS

[gweihir]

It is a "threshold-scheme" any n passwords out of the whole set of passwords will do.

Re:This idea is really BS

[gweihir]

Talk about silly requirements: if an attacker can read your secret from memory being root, you have already been hacked.

On the surface you are right, but that is not the attack model. The main attack model for this scenario is to break the passwords and try them on other systems (Facebook pwd also working on google? Oops...). With properly stretched and salted passwords, the passwords stay secret even on a rooted system until the users log in.

Re:This idea is really BS

[bluefoxlucid]

Register 10 accounts, or use the most common passwords on various combinatons of account data for about 5 minutes.

Re:This idea is really BS

[mstefanro]

The latter is not feasible, because you don't need to guess passwords, you need to guess user-password pairs.

Re:This idea is really BS

[ThatAblaze]

And another thing: You are user A you enter the right password for your account, user B enters the wrong password for their account. All users in the block get an invalid password message. Extremely annoying. This system increases random frustration for the end user by quite a bit.

Re:This idea is really BS

[raynet]

Well that "root access to the server and read from memory" can be mitigated by using a HSM.

Re:This idea is really BS

[bluefoxlucid]

The latter is O(n*(m!/n)*s) or O(m!s) for n common passwords and m user accounts and s shares. You only need to show that you've found a set of accounts which seem to validate together like this.

Taking a look at the most common passwords gleaned from millions of leaked passwords, we can actually find examples where a hundred or so users have the password "123456". If your threshold is 50 shares and you have 30,000 users (i.e. the typical user count for a shaving forum for straight razor users), an attacker could just use '123456" across a subset.

The big problem here is the factorial term; however, it's probabilistic. We can take the top 10 common passwords and estimate that, say, 20% of the user base has them. If our shares (s) are 50, we can then pick 50*5 = 250 users. If we're going with 5% of the userbase using 12345, it's 50*20 (50 / 4%) = 1000, but it's essentially a binary count.

Re:This idea is really BS

[cryptizard]

A factor of 10 in average password length you mean, of which security is exponential. That's nothing to sneeze at. It does seem to be relatively pointless compared to just encrypting the password file with a key stored in the TPM or derived from an administrator password at boot time though.

Re:This idea is really BS

[mstefanro]

You have a space of `m' accounts, `n' common passwords and `s' threshold.
The first step is to find a subset of `s' people who all have easy passwords. There is no better
way than to pick all such subsets, so that gives binom(m,s).
For such a subset, you have to try all assignments of passwords. You have s
people, each of which can have one of n passwords. That's s^n tries.
The total time is binom(m,s) * s^n * C, where C is the time it takes to test if your guess is correct.

Re:This idea is really BS

[mstefanro]

My bad, it's n^s instead of s^n. I don't know where the factorial is coming from in your analysis. Or how it magically disappeared
at the end of your comment.

Re:This idea is really BS

[bluefoxlucid]

I don't carry out the math at the end. I just cite the number of accounts you need to select at random.

Re:This idea is really BS

There are now asics that can quite a bit of scrypt hases per second (350-400 kH/s) in order to mine lightcoin. It's probably just a matter of time time someone figures out how to use them against scrypt hashed passwords.

Also in this case n is an exponent in the dificulty of pulling plain text passwords from disk or database accees. N=10 increase in n gives you much, much more security in this particular case. Yes it doesn't add protection if an attacker has root access, but at that poin you're F'd no matter what you do. Plain text passwords can be interecepted even if you had a key that coudn't be probed.

Re:This idea is really BS

This is why I always use their salt-hashed username (or other unique field on the user record) as the salt for my password hash. No two hashes will have the same salt. The drawback is if they want to change their username they will have to re-enter their password (huge drawback, I know). Even if Joe T Hacker figures out the method to determine both salts, he'd have to brute-force every single record individually.

Re:This idea is really BS

[gweihir]

That is for litecoin parameters. Obviously you would make sure you have a larger memory-footprint than the *-coins out there to make these ASICS completely useless. For litecoin, the memory and iteration parameter have to be chosen so that there is a reasonable chance to reverse hashes. For passwords, there is no such requirement.

As t N=10, that only helps so much. For example, if there are 10 users that use really bad passwords, a simple dictionary attack negates the advantage completely.

Re:This idea is really BS

[gweihir]

That is too simplistic. You have a pre-processing step that needs to find 10 users with bad passwords. That preprocessing step could be a lot less effort than what you do after. And no, it is not exponential. It is quadratic at best here.

Re:This idea is really BS

To pull out the share you need to guess all of them at the same time, as the shamir share doesn't leak information about which exponents are right. Yes in a big enough userbase you might find 10 people with the password "password" but there's really no excuse for that. There are many libraries and programs that can enforce a sensible password policy.

Any Excuse? Yes.

[holophrastic]

Security isn't about safety. The vast majority of passwords are for identification, rather than security. And the ones that are for security, are for a "reasonable" amount of security. The biggest point is to make breaking it an obviously-intentional exercise -- because that can be made illegal. It's not about stopping criminals. It's about defining criminals.

So go ahead and make your twitter account password super-secure so that no one can ever hack in. And then go home to your cylinder lock, easily pickable, next to the big glass window. Then tell us how safe you are -- remembering that whether or not you keep your twitter password on a sticky note, and whether or not your desktop e-mail is accessible within your home without a password, your children and your wife, and your dog are sleeping behind not such password.

And any locksmith can break into any car, as a ten-second paid-for emergency service. And so can anyone who's watched them do it.

Stop trying to feel safe. Just feel safe. It's a lot easier, cheaper, and much more valid.

Did you leave your oven on?

Re:Any Excuse? Yes.

All the more reason to practice your second amendment rights (if you're in the USA).

Re:Any Excuse? Yes.

[holophrastic]

Oh, I very much am not.

Re:Any Excuse? Yes.

[bluefoxlucid]

Your argument is dumb.

Security is about accessibility, integrity, and confidentiality. Passwords are used to authenticate, while access control schemes are used to authorize. Authentication and authorization come together to tell you if a person is allowed to read or modify data and permissions on data. Other security systems (High-availability, etc.) help ensure accessibility--integrity as well, since destroying data makes it non-accessible.

Security is a risk management scheme. If the severity of a risk event is high, you implement security no greater than the cost of that event to manage the risk. Contingencies, mitigation, and so on. Locks are a mitigation, as they prevent people from opening doors on their way by without significant effort and additional risk. Pick-resistant locks reduce probability of attack by making it less likely that any given attack will succeed, both by sheer resistance and by requiring the attacker to develop a skill to mitigate the security features--most attackers won't have that skill, especially if it's actively non-trivial (i.e. bumping a lock is easy to learn in 3 seconds; picking an anti-pick tumbler lock can be done in 45 seconds, but requires months of practice on a variety of locks, and may require different fine motor controls on different models).

Re:Any Excuse? Yes.

What??? What does anything you just wrote have to do with the article? Who said anything about physical safety?

I hope you're not just now figuring out that online security and real world security are two different things. I also hope that you're not going to try and make a play on the words "safety" and "security"

Online security is absolutely about online safety (I feel weird having to type out "online" as to make that the point) I want to feel "secure", "safe" "comfortable" "confident" "ok" "not concerned with" "whatever you want to call it" that no one is logging in with my Twitter account credentials and then spamming the world that I have done some evil deed or whatever poison of their choosing. I used your example of Twitter, but you can replace that with banking, business, e-mail, etc... accounts.

The lock on my front door lets me feel secure. The Desert Eagle next to my bed lets me feel safe.

Re:Any Excuse? Yes.

[Leggman]

My oven's broken...so my pizza will remain frozen.

Re:Any Excuse? Yes.

[holophrastic]

Wow, you are far behind. Security is from secure. Safety is from safe. Secure refers to restricting access -- like a lock. Safe refers to not mitigating harm -- like a helmet.

But if you, for one second, believe that "online" isn't a part of the "real world", then you ought to remain anonymously cowardice, because you're an idiot. If I couldn't be harmed via my twitter account, then I wouldn't care about securing it. I secure my twitter account in order to ensure my safety. For you: I secure my online twitter account with online security in order to safeguard my real-world lifestyle.

My whole point, if you had learned how to read points like that, is that this poster (and the article mentioned) discusses increasing security beyond reasonable benefit. The improvement being made doesn't increase safety, it only increases security. Whenever increasing security doesn't increase safety, then it's a waste of time, money, and energy. It just makes money for the person selling it to you.

In your example, and it's a stellar one for me, the desert eagle lets you feel safe. For as long as you have that desert eagle by your bed, why would you need to improve your security by locking your bedroom door?

Re:Any Excuse? Yes.

[holophrastic]

Throwing a rock through a window requires zero skill, zero training, and any attacker can do it. The non-barred window doesn't resist breaking. For those homes, the purpose of the lock isn't to make the house secure. It doesn't -- there's a window right next to the locked door.

But it's easy to say that breaking a window is intentional trespassing, and hence a criminal offense easily prosecuted. But you can't say that opening an unlocked door and venturing inside is intentional trespassing -- it can be accidental, it can be helpful, it can be authorized. In the former, you need to prove that the person broke the window. In the latter, you need to prove that they weren't at the wrong house -- which is much more difficult, because you need to prove malicious intent.

Most security in this world is about prosecution. Like the video cameras around you house don't stop anyone from breaking in, nor do they help catch the masked thieves -- masks also require zero skill and zero training and anyone can wear one. The cameras prove to your insurance company that the thieves do indeed exist, and wear different shoes than you do. That's about it.

It's "illegal" and "criminal" to break into someone's house by picking the lock or breaking the window. It's neither "illegal" nor "criminal" to open an unlocked door.

Re:Any Excuse? Yes.

[holophrastic]

The only problem there is that you are eating frozen pizza. Please don't do that.

Re:Any Excuse? Yes.

While I agree with some of what you're saying. People do forget that the main point of a lock isn't to deter hardened housebreakers, just discourage amateurs and activate legal protections.

However, if you do want to deter hardened criminals, you can get better locks. And bars on your windows. And if you live in a high-crime neighborhood, you probably have that. The amount of security you have relates to how likely you are to need to deter people. Because if you can't catch the the criminals, then you really _do_ need to deter them.

The whole internet is effectively a high-crime neighborhood. We need better locks and bars.

Re:Any Excuse? Yes.

[bluefoxlucid]

Breaking a window is rather noisy and gains too much attention. It takes some time to rob a house; I've seen people smash doors in, but they usually kick the door down, grab one thing, and leave. The first valuable, light-weight thing they find--a bicycle, a laptop, whatever's in plain view. They often wind up with a $12 wal-mart bike.

Re:Any Excuse? Yes.

You first post "Security isn't about safety". That statement in its self tells me that you have no idea what you are talking about. Please tell me how this works? I can be secure without being safe? I can jump off a building in a plastic bubble, but its not safe? Is this the argument you are going to trying to make?

Your second sentence "The vast majority of passwords are for identification" also tells me you have never worked in, or know anything about Security. Identification is your username\login\id id AKA IDentification. Once you have provided your identification you are then asked to provide a set of keystrokes that only you should know (password). While I agree with you that giving a password is part of the PROCESS of identification, I disagree that trying to increase the security around passwords is less beneficial. Or less safe, I am really not sure what your point is exactly?

Somehow you are trying to tie keeping passwords secure to locking your front door. Hence the "real world" and "online world". These two things are very different and I tried to make your analogy work.

I am correct that the Desert Eagle makes me feel safe. Your counter argument makes no logical sense tho. You said "why would you need to improve your security by locking your bedroom door" If you don't understand why locking the bedroom door adds another layer of security AND safety then we are done talking.

Funny thing why I am posting as AC... I have not wanted to post a reply in a few years under my users name until I read your post and it was scored:5 insightful (WTF) when you clearly have no idea what you are talking about, or very confused on how Security works. However I forgot my password and I did not set a password recovery email. LOL Doh!! Also, stop with the insults. Makes you seem like a troll\fool. I will be waiting for your reply.

Re:Any Excuse? Yes.

[holophrastic]

no time to read all of your likely-shitty reply indicating that you don't know how to read. I'm sure you're commenting on the nth argument instead of on the original subject. you're anonymous, so I'm skipping you. If you don't value your opinions enough to name them, then I don't value them enough to read them.ttfn.

Re:Any Excuse? Yes.

blah blah blah. Your right dood! Throw out the insults and go on your merry way. In the end you still don't know what the hell your talking about. working on getting my id resorted as we speak. Or would you prefer I make a username holophrasticTwo. Because I know everyone reading this knows that other posters really value holophrastic input because you are so "legit" with your real opinions going to your real name and all. So hardcore.

Re:Any Excuse? Yes.

[JesseMcDonald]

Most security in this world is about prosecution.

Sure. But that assumes that you can prosecute. For a crime like breaking & entering, that may work often enough to serve as a deterrent. Online, not so much. You'll probably never find out who orchestrated the attack, and even if you do, they're like to be in a different jurisdiction (or even have state backing). As a result, your security measures have to be strong enough to prevent the attack from succeeding in the first place.

That's not to say that you always need absolute security. There's still a cost/benefit analysis involved. You just can't count on making up your losses by prosecuting the offender when the security fails, which increases the net benefit of having proper security in place.

Re:Any Excuse? Yes.

[Luke+has+no+name]

I've read most of your comments in this thread and the analogies and conclusions are all flawed.

1) A desert eagle is a poor home defense solution. I have locked doors, soon-to-be camera feeds with secure offline storage, and a 9mm. Defense in depth.

2) Under most circumstances, it is absolutely criminal to open my unlocked front door if I have not invited you in.

3) Passwords and usernames are for Identity and Access. In fact, the term "IAM" for Identity and Access Management is common in IT organizations. The AAA protocol for network Authorization, Authentication and Accounting exists to make sure people are who they say they are, only go where they're allowed to go, and that such accesses are properly logged.

You act as if we shouldn't even be trying to be secure in our online accounts... or are you? You then go on about how important it is that no one break your twit account.

The only part of your discussion that approaches coherence is the concept of "reasonable" security. Yes, no security is absolute; all security considerations in all facets of life are about likelihood and risk of a danger, cost, and mitigation. Sure, if someone is writing some ad-hoc utility that has minimal operational impact and no personal data, cleartext passwords probably wouldn't be a risk in itself. Its the fact that salting and hashing with proper algorithms takes almost no effort, and provides benefits, and is a universal best practice out of habit. If this technology advances to the point of being easy to deploy and easy to maintain with minimal effort, it could and should become perhaps the next password storage best practice.

Re:Any Excuse? Yes.

All the more reason to practice your second amendment rights (if you're in the USA).

Practicing your 2nd Ammendment rights is more about being scared shitless of your own shadow than anything else.

Re:Any Excuse? Yes.

[Xmastrspy]

Got my user id issue fixed. Wanted to reply with my "real user id" to pacify your "value your opinions enough to name them" comment. Also, everything I said as AC still stands, and you still don't know what the hell your talking about.

Cheers
X

Re:Any Excuse? Yes.

[Xmastrspy]

I totally agree with your post! My issue with the OP was his comment about "Security isn't about safety". In my opinion that's total rubbish. People set up "security" measures (offensive or defensive as in your case) to provide themselves "safety".

I do disagree with you a little on your 1) point.... Break into my house and then tell me how "poor" my Desert Eagle is as a defense solution. :)

Re:Any Excuse? Yes.

[holophrastic]

Dude, it's been four days. I don't even remember the conversation. But judging by the scores, others appear to be happy enough.

I look forward to our next discussion.

That's a nice technical solution you have there

[H3lldr0p]

The problem is a human one, however.

Yes, this makes it harder should someone get to your stored hashes. But it doesn't make it any more secure if people continue to use "123ABC" as a password. Which they will do since that's an easy thing to remember.

Re:That's a nice technical solution you have there

[mstefanro]

Yes, it does make it more secure. The security of the hash files relies on a secret stored in memory. To
get that secret, you either need to know the password of K users (user i has password p_i) or you need
access to memory. The point is that access to disk is not sufficient (regardless of how weak the passwords
of the users are).

Re:That's a nice technical solution you have there

[squiggleslash]

Just to make it clear, because a lot of posters here appear to be confused as to what this is for:

This isn't about securing individual passwords. This is about securing collections of passwords and doing something about situations where some website's master table of usernames and hashed passwords gets leaked, somehow.

Right now, when that happens, people with the password "123ABC" (or "password" or "secret" or whatever) are easily identifiable because you can look for the hashes of those texts amongst the passwords.

However, with this technology, you would need to already know a large number of existing username/password combinations before you could begin to look for users with easily guessed passwords.

How secure is it? Well, put it this way: if the system is rebooted, then it won't become available until a large enough body of users has tried to log in...

Re:That's a nice technical solution you have there

Couldn't you do that with an ordinary algorithm by keeping the salt in memory instead of disk?

Re:That's a nice technical solution you have there

[mstefanro]

Yes, you could. This doesn't have any better security guarantees than just doing that.

His whole argument however is that the salt needs to be reentered in the memory manually
after a system crash, whereas with his mechanism the memory gets the needed data automatically
after a few users login.

Re:That's a nice technical solution you have there

[bluefoxlucid]

Make passwords 20 characters. Lower case letters and the underscore or space. Expire once per 100 years. More than 60 attempts in 60 seconds gets a 60 second ban. Tell the user to slap 4 random dictionary words together. Use a random salt value per-password and a strong hash.

QED.

Re:That's a nice technical solution you have there

So how exactly would this stop someone guessing you're easily guessed password? No hash or access to memory to try "Password123" and see if it works...

That's the point he's making: you can make passwords uncrackable all you want. But if you don't change the human behavior of making easily guessed passwords, it won't matter.

Re:That's a nice technical solution you have there

Are you just posting random password tips without reading the comments you're responding to?

Re:That's a nice technical solution you have there

How secure is it? Well, put it this way: if the system is rebooted, then it won't become available until a large enough body of users has tried to log in...

In TFA, the author describes a scheme called "Partial Verification" that gets around this issue.

Re:That's a nice technical solution you have there

Just to make it clear, because a lot of posters here appear to be confused as to what this is for:

This isn't about securing individual passwords. This is about securing collections of passwords and doing something about situations where some website's master table of usernames and hashed passwords gets leaked, somehow.

Right now, when that happens, people with the password "123ABC" (or "password" or "secret" or whatever) are easily identifiable because you can look for the hashes of those texts amongst the passwords.

However, with this technology, you would need to already know a large number of existing username/password combinations before you could begin to look for users with easily guessed passwords.

How secure is it? Well, put it this way: if the system is rebooted, then it won't become available until a large enough body of users has tried to log in...

The confusion stems from the sensationalist headline posted with the summary.

Re:That's a nice technical solution you have there

[jiadran]

Actually, to prevent "look[ing] for the hashes of those texts amongst the password" salted hashes are used. I believe password tables would already be reasonable sure if web sites would adopt salted hash algorithms, such as BCrypt.

This scheme is still vulnerable to to weak passwords, as you can just try the most common password (if restricted to a length greater or equal to 6 characters, it would probably be "123456") for randomb combinations of users until you get a combination that works. Once you have a set of user/password matches, you can then bruteforce other passwords. For large sets of passwords and a small number of correct passwords required, this scheme would hardly be better than standard salted hash approaches, not because the scheme is mathematically weak, but because of the lazyness of users (including me).

Seriously?

[Anarki2004]

Fucking pop-up ads and a re-direct to google play? What is this shit!? I was trying to stick it out, but you've gone too far this time. Unbelievable. I quit.

Great.

It's always unbreakable, until someone cracks it.

Clarification

[JMZero]

So it turns out their system, after a reboot, can't just validate a single user (I guess that was a crazy assumption on my part) - it has to have logins from a number of users before it can authenticate anyone. And if you don't want the system breakable by someone just creating a bunch of accounts (eg. normal users on a public website), these prime logins have to be more "special accounts".

Practically, if you need some special logins after every reboot in order for the system to come online, you're going to have to have multiple people assigned this job. Or one person with N passwords he logs in with. In which case, why not just give that guy a one time pad sort of thing that he primes each server with? I mean, these passwords are going to be unrecoverable and encrypted with, effectively, an unchanging key. So... uh, we have ways to do that.

Oh wait, there's an extension that gets around this, and has the property of "the server can check and eliminate most wrong passwords right after reboot". I'm sure a lot of bosses will like that - it'll reject most wrong passwords. Great.

It's a clever idea, but I think there's some real hard sell problems there.

Re:Clarification

[bob_super]

Fine, I'll just go buy N wrenches.

Re:Clarification

[MarcoAtWork]

why would you need multiple people assigned to this job? seems to me if you are really concerned you could 'prime' this system by using an attached HSM with however many random accounts/passwords you'd like to be logged in at bootup: outside of somebody physically breaking into your server room and stealing your keycard it would seem quite secure to me...

Re:Clarification

[JMZero]

Yeah - but that system would have nothing to do with this. If you want to do that, it's cool and it'll work.

The interesting part of THIS system is that it can recover the secret it needs just by having multiple users authenticate. Which is a really cool property for some possible purpose, but I don't see how it fits well with the requirements of a "normal" authentication system and how that needs to respond.

Re:Clarification

[VortexCortex]

I fucking love this!

I hope every web company uses it. That way when users realize their boycotts have the potential power of cascading effects they'll finally have to bow to our demands and implement a better password system!

Re:Clarification

[MobSwatter]

True, but somehow I do not believe the NSA would be compelled to support this.

Re:Clarification

Most sufficiently complex user systems require some type of manual intervention to bring them up to a useable state. Automatic configuration a la "service mysqld start && service httpd start && service fail2ban start" just doesn't scale to large, production environments. "Process initial logins," then, will simply become a part of the normal application startup checklist.

SAs are quite used to developers handing us unfinished applications with confounding startup/shutdown procedures. Trust me: this is nothing special.

Re:Clarification

[Kjella]

This. If you need "special" accounts just have it supply an AES key to decrypt the password database with, if you can crack that without having the key we're all in deep shit. Pseudo:

If (databaseLocked)
    TryDecrypt(database,password)
    If (ok)
          Print "Alright, have fun"
    Else
          Print "Sorry, service down"
    EndIf
Else
      LoginUser(username, password)
EndIf

I guess you could do that as a shared secret kind of thing (you need 3 of 5 keys to unlock) but I really don't see the point.

Re:Clarification

[kasperd]

Or one person with N passwords he logs in with. In which case, why not just give that guy a one time pad sort of thing that he primes each server with?

Actually for that we can just use a single strong password which could for example have 128 bits of entropy. So you just need to have one employee capable of memorizing a strong password, probably it would be a good idea to have a few such employees for redundancy.

Re:Clarification

[MarcoAtWork]

you would use the HSM (or a usb key on a trusted computer with your passwords, for lower security scenarios, say, where you have a colo and/or don't want to buy an hsm) to 'prime' the system to avoid having the issue where you either have to leak a little bit of info or you don't know for sure if the first few users' passwords are correct or not right after a reboot, as part of the reboot process you would log in in turn with all these known usernames/passwords in order to get the system up to an initialized state so it can validate 'real' users properly.

Re:Clarification

[JMZero]

The point of this thing is to get an effective key into memory without storing it somewhere (ie. you can reconstruct it based on login attempts). If you just store the logins somewhere, you might as well just store the key there instead (and this, combined with communication restrictions, is how a normal setup like this would work), because from the logins you can get the effective key you need to do authentication. So this scheme isn't really adding anything to that scenario.

To be clear, I don't think you're wrong - you could do a setup like you describe; I just don't think adding this process into the mix would effectively increase security (or, at least, wouldn't help any more than storing passwords in 1000 different files around your network would - it makes things less convenient for the attacker, but not really more secure given the assumptions we have about the attack).

Re:Clarification

Yes, if account creation if public and automatic any attacker could pull the secret out of the shamir share. That secret protects the hashes of the password, and not the passwords. The issue with the one-time pad or hardware-protected crypto key is it's one one thing to keep track of, and if you lose it, you've lost all the passwords.

"it'll reject most wrong passwords" But that doesn't imply that it's accepting wrong passwords. If it need 25 shares to solve the secret and it has 50 probably right passwords, and all 50 don't give a result, it might try all comination of 45 passwords. The server still needs to rebuild the secret before anyone is authenticated.

But instead of a web forum, say you have a company database server in a company with 278 employees. You might split your shamir sectren into 11 parts, which on would let the server be back online after 22 correct login attempts (at least 95% of the time,). For an attacker to have a 50% chance of learning the key he would need to compromise 10 passwords which would require a taylored attack. Won't stop corporate espionage or intelligence agencies, but it will stop you typical romanian hacker.

Embarrassingly poor idea

The minute they said that a single-round digest of a salted password is standard practice, I stopped reading. Apparently they've never heard of PBKDF2 or scrypt. I now have zero confidence that these researchers know anything at all about password security.

You know what works even better than their method? Encrypting your entire PBKDF2(10000) password table with a secret key that isn't stored in the database (eg, hardware key or network storage that is unmounted after startup). Because that's exactly what they're describing, just worse.

Re:Embarrassingly poor idea

[WaffleMonster]

The minute they said that a single-round digest of a salted password is standard practice, I stopped reading. Apparently they've never heard of PBKDF2 or scrypt. I now have zero confidence that these researchers know anything at all about password security.

Real security is achieved with large exponents. Anything short of that (multiplication, assorted amplification techniques) exist to make people feel better. But but but my password is a thousand times more secure now!!

Really...

[g0bshiTe]

Like NSA would allow that!

Running memory

[holophrastic]

The article says: "if an attacker can read memory on a running server, they can steal passwords unencrypted regardless of the technique that is used".

The article concludes that al we're trying to do is to resist passwords stored on-disk. Congrats. So here's my fix-all solution. When the server is booted, it loads all of the passwords into memory, and then physically disconnects the disk. And we're done. You know, except for the whole entire memory space.

This is just another one of those "make this link in the chain even stronger because once someone broke through it" forgetting that there are dozens of other weaker links that simply have yet to be targetted.

Re:Running memory

A physical disconnect may be hard to set up.

However, as I understand it PolyPassHash actually will work very well with the new Intel SGX extension ( http://theinvisiblethings.blogspot.com/2013/08/thoughts-on-intels-upcoming-software.html ). This makes it so that even the hypervisor / OS cannot read certain memory pages directly.

So, with PolyPassHash + SGX should have a hugely positive security impact on servers. Looks like time to preorder a CPU upgrade!

Re:Running memory

so let them just be plaintext, because it's a futile excersize to protect the passwords, since there will always be some way of finding them out?

Re:Running memory

[Jeremi]

This is just another one of those "make this link in the chain even stronger because once someone broke through it" forgetting that there are dozens of other weaker links that simply have yet to be targeted.

If you can think of a way to strengthen all of the links simultaneously, by all means post it and/or start a company and get rich selling your perfect-security technique.

If, on the other hand, you can't, then strengthening the links one at a time may be the best we can do. Unless you think it's better to leave them unnecessarily weak?

Re:Running memory

[holophrastic]

A physical disconnect is easy to set up. It's at reboot. It's actually a physical-but-momentary connect. That's not high-robotics.

But even a soft disconnect, even something as simple as a dismount. Or a wireless momentary connection. How many hackers are going to have access to mount/connect an invisible disk?

Or, if you like, just overheat the drive after a few minutes of use, and it'll dismount all by itself.

Re:Running memory

[holophrastic]

No, secure the access, not the information. Encryption is relevant in a scenario where the data needs to be there, and be inaccessible. It doesn't work when the data needs to be accessible at all times. If the data is completely inaccessible, it need never be secured.

So, in this case, since all of the fancy encryption being discussed is entirely absent once the data is in memory, and since that's reported as being acceptable, then we can just put it all there, be the very same acceptable, and then we don't need any of the fancy encryption to begin with.

Look at it this way. Why would you bother locking the front door of your house if you've got three armed security guards and six attack dogs guarding your home?

Re:Running memory

[holophrastic]

Think harder boy. I believe in removing links, having fewer links to strengthen. It's called reducing the surface area of attack -- at least it was in the 80's, when I did start my own successful company.

You may be forgetting, if you've ever actually known, that chains are used because they are inexpensive to produce. They aren't better than cables, and they aren't better than lines, and they aren't better than rope -- when better equals stronger. But they are more flexible than cable, way faster to produce than rope, and far easier to produce than lines. Useful for many things, but not when strength is the primary requirement. That's why the rock climbing harness is rope, and the hang-glider harness is a canvas strap, and the tower guy-lines are, well, cables.

So why would you want a chain-system for security? Seems dumb. You should want parallel components, not serial ones. Otherwise, you're trying to be more secure by lengthening your rope. That's just foolish. You want a second rope, not a longer rope.

I have no need to post anything. Why would I choose to help you with my ideas? You can develop your own ideas; not that there's any evidence of that here.

Try learning to think differently than the situation-at-hand. That's called creativity.

Re:Running memory

[AvitarX]

I bet that makes password changes and adding accounts super easy too.

Re:Running memory

[holophrastic]

true.

cached, in-memory for the day?

Re:Running memory

[bluefoxlucid]

You lock the door so the police need a warrant. "It was open" is an occasionally accepted excuse.

Re:Running memory

[holophrastic]

Exactly. But with armed guards turning the police away, they'll never get to your door. You need to read the entire sentence dude. Each word adds meaning.

Re:Running memory

[thunderclap]

I would mod you up if I had the points. The entire idea of the polypasshash is unworkable in the real world. Why? because of Humanity will, the fact that there is no such thing as an unbreakable password and people's stupidity. We need stuff that works in reality when its subjected to single inputs and multiple reboots and employees who don't want to do best practices. AS well as money pinching, technoilliterate execs who wonder what they can't log in and want it to work for him/her alone now, or pink slips next week.

Re:Running memory

[AvitarX]

It all becomes a shell game, if you need to connect to the main DB at any time, then a compromised system can be a problem.

The only solution I can think would involve downtime by writing to disk, booting single user mode, updating the master copy while safe in single user mode (assumption being that is as secure as memory anyway), reboot caching locally changes (which are probably not that often in a typical system).

You'd have to have an hour or so of scheduled downtime, in exchange for only users that signed up, or changed passwords since the last scheduled downtime are vulnerable. For many systems I'd think this is a reasonable trade, for example, my bank's website, that allows checks to be written (though not without email notification for email address change, and check being written), could go down an hour a week, or even a day between 4:30am and 5:30am eastern time (2:30-3:30 western), and it wouldn't be a big deal.

Re:Running memory

[AvitarX]

Actually, my bank is perfect for this method, as they have the secret questions either, and if you needed to get them right, and the password to login, I think you'd get similar protection??

The bank requires a secret question on new systems anyway, then verifies with a cookie, I bet you could combine said questions with the password the way this article describes.

Re:Running memory

[ramriot]

Except the attack senario is an SQL injection. So how will you be exposing this in-memory data to the web app?
BTW: most database engines already put commonly used tables in RAM for efficiency, so its already done and does not help.

Re:Running memory

[holophrastic]

I don't think you read that correctly.

Re:Running memory

[ramriot]

I think I did!

Re:Running memory

"Work smarter! Not Harder!"

Thanks, PHB. Oh, say hi to Dilbert for me.

Impossible, or just NP hard?

[mark-t]

Given enough opportunities to try different combinations, any password can be guessed in a finite amount of time, eventually.

Or maybe they just mean impossible for all practical purposes...?

Re:Impossible, or just NP hard?

[tepples]

They mean "it'd take longer than the age of the universe".

Re:Impossible, or just NP hard?

[bluefoxlucid]

You're wrong. Reverse-computing a password (including testing guesses) requires energy. If the energy required is more than the entropy available in the universe, then the universe will reach its base energy state before calculation completes. At that point, there is no more energy to derive: every moment in time is like every following moment in time, as nothing changes, and thus time has ended.

The phenomena of time physically ending can also be called "an infinite amount of time". For our purposes, if you land in that time scale, it takes literally FOREVER.

Re:Impossible, or just NP hard?

[mark-t]

Did you read the first seven words of my comment?

Clearly not... or you would realize that such factors as what you mention are, from the standpoint of the problem, merely imposed limits on the frequency with which one may actually make attempts to solve the problem. And even then, still don't guarantee that any given one wouldn't be solved.

Absolutely *NO* password is uncrackable... a person may, in fact, get it even on their first try.

The most that one can say about "unbreakable" password protection is that it might be unbreakable for all practical purposes. That is not remotely the same thing as saying it's impossible to do.

Re:Impossible, or just NP hard?

[bluefoxlucid]

This scheme is a mathematical scheme which requires a certain threshold of information to discover if any information is valid. It's like trying to discover the Y intercept of a polynomial of Nth degree, being able to verify that the value is correct or not: you cannot do it unless you have N points.

It's not a matter of guessing a password, but rather simultaneously guessing N passwords correctly. Not incrementally guessing N passwords, doing some tests, finding that some are 1% certain to be correct and some are 0.0001% certain to be correct, keeping the 1% ones, and then as they increase certainty to 50%, 90%, etc. eventually building a system. Every combination of N passwords has exactly two binary states: 100% certainly all are correct, 0% certainty ANY are correct.

Assuming strong constraints such as 20 character passwords, all lower case and underscore, we can deduce that the only physically possible way to crack any password in the system is sheer luck at a probability such that it should happen, on average, 10^100 times the amount of time it would take to reach the end of time. You can't just say, "oh we'll just set a process in place and, even if it takes a really long time to the point that it doesn't actually help, it WILL break it eventually." It won't. Time will end eventually.

Re:Impossible, or just NP hard?

[mark-t]

There's no guarantee that time will end before it cracks it... at most only that time will end before it can be guaranteed to have been successfully cracked.

There is a difference.

Taking some highly remote chance and saying that it is so unlikely to ever happen that you can assume it never actually will may very well be valid assumption for all practical purposes, but that doesn't make it true.

Re:Impossible, or just NP hard?

[bluefoxlucid]

There's no guarantee that you won't have a sulfur vein in your 2 inch steel armor that causes it to crack under small arms fire and let a 9mm round through to kill you.

Nothing is physically impossible. All of the atoms in your heart could spontaneously bore out of your chest by quantum probability.

Another practical problem.

All the attacker needs to do is create 10 (or whatever the threshold is) user accounts before compromising the server, and then you can recover the secret. So, this won't work for any of the cloud services mentioned in the abstract.

However, the attacker doesn't have the ability to create accounts, and the threshold is set high enough, then even having a bunch of users (say 10) with passwords like "password", "qwerty", etc, won't necessarily let you in, since you have to correctly guess *which* account uses which weak password. So, if there are 100 weak passwords in your database, all the passwords are drawn from the weak password database, and the threshold is 10, it sounds like this system is similar to setting a 10 character master password on the database, where the strings come from an alphabet of ~ 100 characters. (Of course, the strings aren't drawn randomly from the database, since some weak passwords are more popular than others, but it's still better than nothing.)

Re:Another practical problem.

[gweihir]

Hehehe, nice! And obvious. So for anything where anybody can make an account, this is completely broken!

Re:Another practical problem.

Hehehe, nice! And obvious. So for anything where anybody can make an account, this is completely broken!

If you bothered to read the article, you'd know they already addressed that problem. Oops, sorry. Forgot that you cannot read.

Obligatory

[ArcadeMan]

PolyPassHash want a cracker?

I'm skeptical.

[wcrowe]

Impossible? Hmmm, I don't know about that. Chin Ho Kelly on Hawaii Five-0 can crack any password within a couple of minutes. I seen it.

longer to crack than the age of the universe?

[aneroid]

...it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist.

Let's hope they're not creationists.

Re:longer to crack than the age of the universe?

[Grax]

Even then it would be longer than many many lifetimes. If that were truly a measure of security, I think it would be adequate.

Re:longer to crack than the age of the universe?

[TechyImmigrant]

I think both creationists and sane people mostly agree the universe exists. Maybe they mean "estimated to have existed".

Re:longer to crack than the age of the universe?

That's the future tense. If they would be creationists, they would likely also believe that nobody except their god knows when the end of days is here and the passwords almost cracked. The problem would be to them a nondeterministic one. Oh, many of them also think they can make it come faster by hastening Jewish immigration to Israel. Nevermind.

Re:longer to crack than the age of the universe?

or "will exist"?

Re:longer to crack than the age of the universe?

[PRMan]

Creationists believe the universe exists. But they probably think that Jesus is coming back a lot sooner than the average scientist. That's followed by a 1000-year reign of Christ on earth and then a "little while" longer. After that, the earth as it is now will be destroyed and everyone alive will live in a sinless place (the new earth, commonly referred to as "heaven"). So, most creationists probably only see this earth as existing for another 10,000 years, tops.

Re:longer to crack than the age of the universe?

Obviously meant "estimated to continue to exist" aka "until the heat death of the universe."

Re:longer to crack than the age of the universe?

[steelfood]

10K years is more than enough for anybody.

Re:longer to crack than the age of the universe?

[thunderclap]

so that means it takes 6000 yrs to crack it? thats not long at all.

He pretty much agrees with you on page 12.

[xxxJonBoyxxx]

>> Sane people will stay with salting and stretching, ideally with scrypt() to neutralize GPUs.

"Key stretching is orthogonal to PolyPassHash and could be trivially used in conjunction."

Hell, just the bit about bcrypt, etc. using a unique hash per password would have stopped most of these "grab the file then crack the table" hacks; the current focus of developers should probably just be to replace anything still using unsalted (or common salt) MD5/SHA1/SHA256 schemes.

Re:He pretty much agrees with you on page 12.

[gweihir]

Salts do not help that much today, as brute-forcing is faster than generating rainbow-tables. The stretching (i.e. hash iteration) is what brings the real gain. Sadly, even people that develop security software in the financial sector often do not seem to know that.

Re:He pretty much agrees with you on page 12.

[mlts]

What really needs to happen is separation of duties and storing the hashes the same way companies store private keys used for signing... a physically secure, hardened appliance with a limited interface out. Backups are done to a USB port physically on the appliance, and the data never is exposed on the network, only calls to use it.

We can use bcrypt, initial hashes, and such, but it might be better to consider a different protection method -- keep the data separate and physically isolated from everything else... i.e. put the hashes on their own separate box so that even if an attacker manages to get everything on the network, they only can access the stored hashes by trying user/password combos... and with a sane lockout method on the device with exponentially increasing lockouts, it is easy to prevent brute forcing an account.

Re:He pretty much agrees with you on page 12.

[kasperd]

Salts do not help that much today, as brute-forcing is faster than generating rainbow-tables.

Salting provides lots of security against brute force attacks. Let's assume you have a system with one million users and you have a list of the 10 million most common passwords. If the system uses unsalted hashes, you only have to hash those 10 million passwords once to know which users have been using a password from that list. If OTOH the hashes are salted, you have one million salts and 10 million passwords. That's 10 billion combinations you have to try in order to know which users used which passwords from your list.

Re:He pretty much agrees with you on page 12.

stretching (i.e. hash iteration) is what brings the real gain. Sadly, even people that develop security software in the financial sector often do not seem to know that.

All of those methods for slowing down password validation are DoS attack vectors.

Re:He pretty much agrees with you on page 12.

[gweihir]

Salting actually provides no security at all against brute-forcing. Salting helps against rainbow-tables, but that is a different attack.

Re:He pretty much agrees with you on page 12.

[gweihir]

Yes, and there is no way to protect against that directly. But there are other ways, for example requiring users to solve a captcha in addition or rate-limiting individual IP addresses.

Re:He pretty much agrees with you on page 12.

[kasperd]

All of those methods for slowing down password validation are DoS attack vectors.

You can protect against that by moving part of the computation to the client side. Once upon a time, I wrote a proof-of-concept in javascript. Much better solutions are possible, if you designed a new protocol and were able to get clients to support it.

A rough idea goes like this. Client sends username to the server. Server responds with a salt. Client uses salt + password to seed a PRNG. Output from the PRNG is used to generate an asymmetrical keypair. The client then signs a session ID (from the SSL layer) using the generated secret key. Client sends public key and signature to the server. The server then validates the public key by using a salted hash using a different salt value, and it validates the signature.

For each user, the server would need to store two salts and a hash value. The most expensive part of the above calculation is the generation of the asymmetrical keypair, which happens on the client. Thus you are better protected against DoS attacks. And that computation actually requires more CPU time than a typical iterated hash for password validation. The second most expensive part of the calculation is the signing using the secret key, which also happens on the client.

The validation of the signature does require a bit of CPU time on the server. But that happens after you validated the public key. For an attacker to even get the public key is actually harder than breaking the password protection schemes we are using today. Effectively from the above you could remove the signature validation step of the protocol, and it would still be more secure, than what we are currently using.

Re:He pretty much agrees with you on page 12.

[kasperd]

But there are other ways, for example requiring users to solve a captcha in addition or rate-limiting individual IP addresses.

Rate-limiting individual IP addresses is of limited value. It is not that hard for an attacker to attack you through different IP addresses. And in many cases an attacker would even be able to get a few requests coming through the same IPs as some legitimate users. If an attacker has access to a botnet, the situation gets even worse.

I predict that killing the login service due to lack of CPU capacity requires a much smaller botnet than flooding the network connection would.

Using a captcha may help. But the implication would be, that if you are under attack, you are going to require a captcha from lots of legitimate users. That's not very user friendly. I am not aware of any formal analysis of the security of captcha schemes, but in cases like this breaking the captcha is only going to permit a DoS attack, and not gain actual access, so it is not that bad. And you can even adjust the difficulty of the captcha dynamically to keep server load under control.

Re:He pretty much agrees with you on page 12.

[kasperd]

Salting actually provides no security at all against brute-forcing. Salting helps against rainbow-tables, but that is a different attack.

You clearly did not understand what I wrote. Salting slows down attacks proportional to the number of users. The only way you can attack salted hashes as fast as unsalted hashes is if you are attacking a system, which is only ever used by one single user.

Rainbow tables is just a way to start the attack before the leak happens. If you already have the leaked hashes there is no point in using a rainbow table, since rainbow tables are slower than an ordinary brute force attack.

If there is many small leaks from identical hash funnction, you would have to decide when there is enough to bother with a brute force attack. If you use rainbow tables, most of the computation can be reused for each leak, because that part can be computed before the leak happens. But overall you end up spending more CPU time on the attack, than you would have, if you just waited for all the leaks to happen and only then started a brute force attack.

Re:He pretty much agrees with you on page 12.

[kasperd]

What really needs to happen is separation of duties and storing the hashes the same way companies store private keys used for signing... a physically secure, hardened appliance with a limited interface out. Backups are done to a USB port physically on the appliance, and the data never is exposed on the network, only calls to use it.

I say the effort is better spend on new protocols, where the server will never be able to learn the password, even if an administrator decided to install software to capture data after it has been decrypted by SSL. Such protocols are possible, but not widely deployed.

How many users wouldn't want a system, where the administrator couldn't leak the users passwords, even if they wanted to? As an added bonus you can safely use the same password on all sites, that makes use of such a more secure protocol. The implication of that would be, that you only have to remember one password, and that would hopefully get users to choose a slightly stronger password, than they do today.

Re:He pretty much agrees with you on page 12.

The ideal would be some form of client certificate. That way, the server either stores a copy of the key, or just stores a hash of it so it can recognize the key material when presented with it. That would make the need for virtually every other authentication method pointless, especially with PFS enabled in SSL (which it should have been from the get-go.)

If this doesn't work, maybe a system where an ephemeral key is generated and used, which is signed by the user's real key (which is kept offline.) This would allow for everything to be encrypted/signed, while not having to expose the user's key material to a machine or if the user's key is stored on a smart card, expose the key to bogus signing/decryption requests. Not 100%, but it would get rid of passwords altogether.

Re:He pretty much agrees with you on page 12.

[kasperd]

The ideal would be some form of client certificate. That way, the server either stores a copy of the key, or just stores a hash of it so it can recognize the key material when presented with it.

Certificate means a trusted third party signed a certificate stating that this particular public key belongs to this user. I'm not hooked on the idea of a trusted third party for this. Having the server store the public key or a hash of it, like you suggest, is a better approach. But then it is not really a client certificate.

That approach is sort of similar to what I describe, except that in my scenario the private key is computed on the fly, and in your case it is stored on the computer. Each approach has advantages. It is possible to design the protocol such that the client can choose whichever of the two approaches it prefers, and the server won't know which of the two is in use.

One drawback of storing the private key on the computer is, that there is now a file you can lose, and if you do, you lose access to all sites. My approach would only require you to remember a password, and then you can always get a new computer and use it. That may be a drawback in some scenarios, as if someone learned your password, they could authenticate as you. OTOH if only the private key is required, somebody stealing your device could authenticate as you (though the private key could be encrypted using a password).

Another drawback of storing the private key is that you would be using the same key with many sites, which could then violate your privacy by deducing that all of those accounts on different sites belong to the same person. My approach would use a different private key for each site since it would depend on the salt. The protocol for setting the password in the first place could enforce uniqueness of the salt by requiring it to be a hash combining inputs from both client and server.

If this doesn't work, maybe a system where an ephemeral key is generated and used, which is signed by the user's real key (which is kept offline.)

If you do go with the stored key approach, then this additional layer of indirection would be beneficial to the security.

but it would get rid of passwords altogether.

I don't believe in getting rid of passwords. If you don't have any passwords at all, then anybody stealing your hardware could authenticate as you. For me the goal is not to get rid of passwords, but to ensure you never need to present your password to an untrusted device.

Re:He pretty much agrees with you on page 12.

[gweihir]

You do not understand what you are talking about. Salting has absolutely no influence on brute-forcing. The number of users has absolutely no influence on the time it takes to brute-force one. You clearly do not know what "brute-force" means. Maybe read up on the concepts before spouting utter nonsense?

Re:He pretty much agrees with you on page 12.

[gweihir]

Well, yes. But the same happens to be true for any password-scheme: Either it is insecure, or it is vulnerable to DoS. So what is your point?

Re:He pretty much agrees with you on page 12.

[cbhacking]

Are you some weird kind of illiterate where you can write but not read, or are you just too arrogant to read the comment you're replying to? Whichever it is, you don't know what the hell you're talking about.

Salting provides no meaningful protection against brute forcing *one specific user's password* (although pepper - a "secret salt" that is not stored in the authentication database - can). It provides a shitload of protection against brute-forcing an entire password dump, or even brute-forcing just *some* user's password if you don't care which one.

An un-slated dump of password hashes can be brute-forced to give you *some* valid password trivially easily; hash the 10 most common passwords (which even with an expensive verifier derivation function will take almost no time), and you can trivially easily find the handful of users using those passwords. You now have some valid credentials to log in with (as well as the passwords that several people used, and therefore probably the ones they used on other sites too).

If the passwords are salted before hashing, then you have to try each of those ten passwords with the salt for each user. Assuming the time to hash passwords (through the verifier derivation function) dominates the time to compare against the dumped hashes, a unique salt per user takes the time to check M passwords via brute-force from trivial (M iterations of the verifier derivation) to impossible (M*N iterations, where N is the number of users).

Re:He pretty much agrees with you on page 12.

Salts do not help that much today, as brute-forcing is faster than generating rainbow-tables.

Maybe on the planet "Theory" where applications and servers manage to process 10 million username/password attempts per second, but on my planet (Earth) it's much quicker to nab a table of unsalted hashes and run it against a rainbow table.

Re:He pretty much agrees with you on page 12.

[kasperd]

Either it is insecure, or it is vulnerable to DoS. So what is your point?

If you use a salted hash based on a cryptographic hash with no known weaknesses, then you won't be as vulnerable to DoS attacks. And security-wise it is a justifiable solution. Hashing and salting add a lot of security. It will slow down an attack significantly without a significant cost for legitimate usage. That's what you expect from good cryptography. Iterating the hash will OTOH slow down legitimate usage and attacks by the same factor. Slowing down legitimate usage by the same factor that you slow down attacks is not good cryptography.

Instead of slowing down legitimate usage without being able to slow down attacks by even more, you should be looking at adopting protocols, that provide real security improvements. For example it is entirely possible to perform password authentication without the server ever having a chance of picking up the password in cleartext. Such protocols provide real security improvement. You can also increase computation cost on the client side rather than server side, and slow down brute force of a leaked password database that way. The later is still not great, because you are still only slowing down the attacks by the same factor as legitimate usage. But at least you don't make yourself vulnerable to DoS attacks, if those extra computations happen on the client rather than the server.

If you go with salted hash with only 1 or 2 iterations of the hash function to protect yourself against DoS attacks, and you push for adoption of protocols that hide the password from the server, then you are doing more for security than most sites. And should those salted hashes leak, only the very weakest passwords will be brute-forced. In that situation if a user's password is broken, the user bear the responsibility for choosing such a weak password in the first place.

Re:He pretty much agrees with you on page 12.

[gweihir]

You have not kept up with developments. And there is the little problem with rainbow-tables that they cannot break good passwords as the space-need and sorting-time is prohibitive. Oops, sorry. Forgot that you do not actually understand any of this.

Re:He pretty much agrees with you on page 12.

[gweihir]

That is nonsense. You can do certificates securely without third parties. Oh, and look, ssh has been doing it for ages. And so has PGP.

Re:He pretty much agrees with you on page 12.

[kasperd]

You do not understand what you are talking about. Salting has absolutely no influence on brute-forcing.

I give up. You have clearly demonstrated that you do not know what you are talking about, and that you are not willing to learn. I don't know why you think you can convince me about something by repeating a statement, which I know is not true.

If you are not willing to accept that you were mistaken, there is not point in this thread continuing any further.

The number of users has absolutely no influence on the time it takes to brute-force one. You clearly do not know what "brute-force" means. Maybe read up on the concepts before spouting utter nonsense?

• You should read what I wrote instead of making something up, which I did not write.
• I'd say taking a university degree in cryptography does count as reading up on the concepts.

Re:He pretty much agrees with you on page 12.

Oops, sorry. Forgot that you do not actually understand any of this.

It's ironic how you come up with that every time you reply to somebody who knows more than yourself.

Re:He pretty much agrees with you on page 12.

You can protect against that by moving part of the computation to the client side.

Nice. Anybody doing this in practice or is it purely a theoretical solution?

Re:He pretty much agrees with you on page 12.

You can do certificates securely without third parties.

A certificate is by definition issued by a third party. Your comment is nonsense indeed.

Re:He pretty much agrees with you on page 12.

[david_thornley]

If you have a list of ten million passwords, and you hash each password and then compare to the password database, you're just generating a rainbow table on the fly. There's no difference between that and doing the ten million hashes beforehand, or getting the list from somebody who already did. What you are saying here is that salts provide security against rainbow tables.

If the bad guy is out against one particular account, the salt isn't going to help, unless it provides a little additional delay in doing the hash. If the bad guy just wants an account, any account, the salt will slow him down. (Also, in the absence of hashes, the bad guy sorts the passwords and notes which passwords belong to multiple accounts. Those are the ones to go after first.)

Downthread, you say that salting slows down attacks proportional to the number of users, which I just don't understand. Case one: the bad guy wants to crack any account, and doesn't care which. The bad guy benefits from large numbers, because it increases the odds of somebody using a lame password. If there's a system with just me on it, and I care about that system's security, trying common passwords isn't going to help. If there's two dozen people there, somebody's not using a really good password. Case two: the bad guy wants to crack one specific account. In that case, it doesn't matter who else is on the system. Case three: the bad guy wants the maximum number of accounts cracked, and doesn't care whose. In this case, the bad guy can look at however many accounts he wants at a time, so increasing the total amount of accounts can't slow things down by more than proportional to the number of accounts. However, since the number of accounts broken is also proportional to the number of accounts, it doesn't change the average reward per unit time. Only if the bad guy wants to get all the accounts is there any problem with increasing the number, and that's just because it increases the probability of a password that the bad guy cannot crack with available time and resources.

Re:He pretty much agrees with you on page 12.

[gweihir]

You have the definition of a certificate completely wrong. There is no requirement that the "third" party must be different from both of the participants. None at all. You are probably confused by the way X.509 certificates work. They are not the only way to do it and in practice at least some of the other ways turn out to be secure, while X.509 is badly broken.

Why is it that people do not even understand the basics feel free to spread nonsense about this? Has the cretinization of Information Security really progressed this far already?

Re:He pretty much agrees with you on page 12.

[kasperd]

If you have a list of ten million passwords, and you hash each password and then compare to the password database, you're just generating a rainbow table on the fly. There's no difference between that and doing the ten million hashes beforehand, or getting the list from somebody who already did.

Rainbow tables don't work that way. A rainbow table is not based on a dictionary. When generating a rainbow table you will be hashing pseudorandom inputs (chosen according to a probability distribution). And you are not hashing every input just once, you may end up reaching the same input multiple times. Also a rainbow table does not store all the computed hashes.

Case one: the bad guy wants to crack any account, and doesn't care which. The bad guy benefits from large numbers, because it increases the odds of somebody using a lame password.

I did not say having a large number of users made the system harder to attack. I said the slowdown salting does to the attack is proportional to the number of users. If salted hashes are used there are two factors involved as the number of users increases. More users means higher probability of somebody using a really lame password, this benefits the attacker, I am making no claims about the exact size of this factor. But salting means each password from the dictionary has to be hashed more times, which is a disadvantage to the attacker. In the ideal world these two factors cancel out. In the real world those two factors probably don't cancel out exactly. Nevertheless I stand by my statement about the slowdown of the attack introduced by salting, as it is the other factor, which there is most uncertainty about.

So let's assume an attacker wants to find just one valid password for one user. And let's assume there are n users and that in order to find one valid password, the attacker need a dictionary containing m passwords. So far those assumptions say nothing about how passwords are stored, and they are general enough to cover any such scenario. We don't know what n and m will be in a concrete scenario. What I stated is, that the number of hashes an attacker need to compute is n times larger, if the password database is salted than if plain unsalted hashes are used.

If the passwords are not salted, the attacker need to computer just m hashes and compare those against the password database. That comparison is easy to perform by simply sorting the hashes. If OTOH the passwords are salted, the attacker need to computer m*n different hashes in order to find the one combination, where there is a match.

If n is reasonably large, and if there is no strict password policy, it is likely that m will be just 1. But even in that case, the calculations are still valid.

SRP (Secure Remote Protocol)

[kye4u]

That problem is already solved. It is called SRP With SRP, even if the attacker has full access to the host, they cannot reverse engineer the passphrase.

Re:SRP (Secure Remote Protocol)

That problem is already solved. It is called SRP With SRP, even if the attacker has full access to the host, they cannot reverse engineer the passphrase.

Sure, so long as you will change every client in existence to run special software...

It's "solved" but not practical.

Re:SRP (Secure Remote Protocol)

Sadly thats not true. When the attacker has the password database SRP degrades to being just a regular salted password.

Re:SRP (Secure Remote Protocol)

[JimSadler]

The chances are that we do not completely understand what they are doing. A major university making an announcement has a lot at stake when it releases such statements. Even monetary liability comes into play if someone suffers harm after using an "unbreakable" password and it gets broken. My greatest concern would be that our government is the author of such a scheme with a method in hand of getting through that password system. These days any encryption scheme may be tainted by government agencies. Operating systems might also be a huge playground for spooks with too much time and money and power backing them up.

really?

[amaupin]

To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour.

Really? Okay, here are three NONrandom 6 character passwords that are stored using standard salted secure hashes:

a44a6d60ebc202a7d296d82a7eac5748b7a93474c996e533795d769b297e613c
5529ce75d4bf3bc7b488c8591906cc39bf5ac90feeeb9fbc278b0f98e03cafc6
9de700d2bc4fa3ed30a3459a9cffd7785c10f465c5b9cfb4a83d417e9347f0f9

Start your laptops, gentlemen. I'll even give you a hint. The first password is 123456. The second is abcdef.

Re:really?

I believe that the common presumption in the "biz" is that the person doing the cracking has access/perfect knowledge of the hashing and salting algorithms - including, for standard salting schemes, what that salt for each password is. So when they say "cracked in an hour" they're really talking about simple brute force application of the salt+hash forward (because the standard presumption is that the entire hashing+salting technique is known to the crackers).

You're right, though, in that if the salt and hashing algorithms are kept secret, you've effectively increased your password strength. The problem with this is that if the crackers have somehow gotten access to your hashed password database, in all likelyhood they also gained/could have gained access to the password checking code. If that's the case, they don't even need to do complete disassembly/tracing of the code to understand your hashing scheme. All they really need is to insert a hook at the spot where the hashes are compared to dump out the hashed value.

Re:really?

[bluefoxlucid]

Standard salted secure hashes must be stored with the hash as well. You'd have to give us the hash algorithm, the salt, and the hash. Without these, the computer can't compute them.

With the proposed scheme, the salt is unknown; we must compute that first.

Re:really?

... and the salts are?

Re:really?

Algorithm not given.

Re:really?

"standard" is probably SHA256 or bcrypt with an appended salt. I'd bet on the former.

Re:really?

In a salted hash scheme, the salts are included with the hashes, otherwise the server can't validate either. You appear to be using sha1 hashes, but have not included the salts.

Re:really?

[mattpalmer1086]

I think we need a "Misleading" category.

Without the salts, the hashes are essentially uncrackable, if the salts aren't incredibly short. So don't waste your time trying to crack these.

Salts are not secrets. They are usually stored right alongside the account details in the password database.

If your solution is to make the salt secret, you're not using salts anymore. Per-account salts protect against pre-computation attacks and do not need to remain secret to provide this protection. They are a cheap and effective defense for this purpose.

If you want to keep your salts secret, they are technically called "keys", and are expensive and difficult to manage securely.

Is this different than a "secret salt"?

[hawguy]

Is this really different than a "secret salt" that someone has to load into the server upon reboot?

Instead of requiring N correct passwords to let the server build up its Shamir Secret Store data structure that lets it validate passwords, why not just have an admin type in the secret salt that is hashed with each password?

Without that secret salt, the password file is useless. The secret salt can be protected by N passwords (or maybe it's a hash of those N passwords) just like the Shamir Secret Store data, the only difference is that instead of the server computing it the secret data, the administrator(s) types it in directly. If someone can compromise the server to get the secret salt (or can social engineer the administrator password(s), they can also get to the Shamir Secret Store data, so it doesn't seem any less secure.

Re:Is this different than a "secret salt"?

[TechyImmigrant]

Secret salt? Isn't that what we normally call a key?

Re:Is this different than a "secret salt"?

[hawguy]

Secret salt? Isn't that what we normally call a key?

I don't know -- who is "we"?

I called it a "secret salt" since it's not really an encryption key, it's just another input to the password hash function just as a normal salt is. But it's meant to be secret unlike a regular salt which is generally stored with the password hash.

Re:Is this different than a "secret salt"?

[TechyImmigrant]

Right, but Hash(data=(secret_salt || plaintext)) looks very much like message_authentication_code(key=secret_salt, data=plaintext).

Not all keys are for encryption.

Re:Is this different than a "secret salt"?

[bluefoxlucid]

In this scheme, you could do that. In this scheme, if your admin takes 30 seconds to log in and type the password, he might be slower than the 300 people trying to log in--of which the first 30 get "service unavailable, try again." It makes the problem self-resolving.

Re:Is this different than a "secret salt"?

[hawguy]

In this scheme, you could do that. In this scheme, if your admin takes 30 seconds to log in and type the password, he might be slower than the 300 people trying to log in--of which the first 30 get "service unavailable, try again." It makes the problem self-resolving.

Oh, I thought it was limited to specific designated accounts. If it works with any 30 (or whatever) number of accounts, then this seems less useful since, thanks to password sharing and social engineering/phishing, an attacker is likely to already know 30 passwords. Once he has 30 password in hand, he'll be able to solve the equation himself and can attack the rest of the database as usual.

Re:Is this different than a "secret salt"?

[mattpalmer1086]

It looks like a message authentication code, but it isn't. Hash(Key || data) is vulnerable to a length extension attack.

Re:Is this different than a "secret salt"?

[TechyImmigrant]

Agreed, provided such and attack fits in the scenario. I'm just questioning the semantic difference between 'secret salt' and 'key'. I don't see a real difference.
 

Re:Is this different than a "secret salt"?

[david_thornley]

Looks like it to me. I'm not sure it would be useful.

Setup a normal scheme with password (unknown to the system) and individual salt (known to the system). Add a key typed in at system start by and administrator, and let the hashed password value rely on all three together.

Therefore, if you don't have the key, you can't produce the hash, and you've got a problem. If you've got the key, of course, it provides no protection at all. Moreover, you can't change the key without having all the passwords to rehash, and if you've got a list of plaintext passwords your security is already crap. So, if you can successfully hide forever a key that has to be present in memory and used constantly, and must be input each time the system comes up, and therefore has to be known by multiple sysadmins, you've got additional security. (You can have it encrypted in the system, and releasable by any sysadmin password. Therefore, you get the encrypted version, and can try to crack that.) My gut feeling is that there's better ways to add security.

Crypto pointless now it seems.

[DarthVain]

Crypto is being supplanted by a lack of rights.

Ob. XKCD:
http://xkcd.com/538/

Now a days you don't have to worry so much about some criminal beating you with a wrench, however you do have to worry about the NSA going to everywhere you actually store information online and forcing them to give the information over "voluntarily" by creating laws under some pretense and threatening legal repercussions, or by just doing it illegally anyway using the usual scare tactics. The same can happen to you personally, and they can pretty much throw you in jail for an infinite amount of time until you produce the password in question anyway.

Anyway criminals are NOT brute forcing huge lists of passwords in the first place. They either take advantage of terrible security in the first place (Hey lets store all the passwords in an unencrypted text file which anyone can access if they know where to look!), software vulnerabilities (Hey your password is super safe, too bad there is that gaping security flaw that lets people bypass passwords altogether!), or social engineering (Hey sure I will give out your password, I'm an IT guy that gets paid 10$ an hour and I really don't give a shit anyway).

So while in an interesting sort of puzzle way this is neat, the actual protections it will afford you is probably very little.

Re:Crypto pointless now it seems.

[DarthVain]

Also I forgot about what I call the FB rule.

Your password is super safe and invulnerable. However you signed a EULA (that is 862 pages long, stored in some obscure location, that can be changed at will) by glancing at it for about 5 seconds to find the next button, that basically gives the rights to all the information you were protecting in the first place, and your first born son, to the company that stores the information, who can and will sell it all to the highest bidder anyway.

LMAO

I'll leave this here:

http://xkcd.com/538/

You lost me

[Hognoxious]

Can someone explain it in terms of a car? Or perhaps two cars, with Alice in one and Bob in the other.

Re:You lost me

[Grax]

OK. Alice is in the Tesla that plays vroom-vroom sounds on the Blaupunkt stereo. Bob is in the Chevy. They both turn their keys but neither car starts. Carl turns the key in his Civic and all three cars start. I think.

Uncrackable? Unthinkable!

[augahyde]

As soon as I hear anybody say that they've developed an impenetrable password scheme, I call their bluff. No, I'm not going to be the one break their scheme, but it will surely be broken.

Re:Uncrackable? Unthinkable!

I can make an impenetrable password scheme. The only problem is that you'll never be able to log into the same account twice!

Open PDF, Ctrl-F "Impossible"...

[StickyWidget]

.... No results found.

~Sticky

yes

[slashmydots]

"does an organization have any excuse if their password database is disclosed and user passwords are cracked?."
Yes: 1. hiring incompetent morons
2. insufficient budget for IT work
3. idiot contractors/vendors

Special accounts not required

[raymorris]

There's no requirement for "special" accounts, though that could be used.

The other option is to just allow your regular users logging in after a reboot to hit the threshold. This would be good for a busy site, where 1,000 users try to log in sooner than an admin can be alerted. That brings up the question of how you authenticate those first N users. The solution is the paper allows a weak authentication before the threshold is hit, so the server could allow "slightly wrong" passwords for the first 30-60 seconds after it starts up.

Re:Special accounts not required

[khasim]

The solution is the paper allows a weak authentication before the threshold is hit, so the server could allow "slightly wrong" passwords for the first 30-60 seconds after it starts up.

Yeah, I think that's a problem. There shouldn't be any way to tell a "slightly wrong" password from any other wrong password.

That brings up the question of how you authenticate those first N users.

Which is a different problem with that approach.

They could have also had the server admin type in the formula for the line that the system will use.

About the only issue this "solves" is having ONE secret that has to be shared between the admins. So you won't have the "disgruntled" problem. Each admin gets his/her own portion of the secret.

Just like requiring two keys to launch a missile.

Re:Special accounts not required

[cryptizard]

It's not "slightly wrong" in that it is lexicographically close to the password. It is a password that hashes to the same first few bits, which is unrelated to the relationship between their plaintexts.

Need a quorum of admins

[tepples]

If you copy the whole system, you still need a quorum of administrators (users whose passwords contribute to the threshold) to connect to your copied system and attempt authentication.

Bob's car won't start until Alice blows his Breath

[raymorris]

Bob's car won't start until Alice blows his Breathalyzer, because Bob's a drunk.

Seriously it's more like Bob's key won't start Bob's car, and Alice's key won't start Alice's car, unless both Bob and Alice turn their keys at the same time. The keys have transponders in them that talk to each other.

Therefore, you can't make an unauthorized spare key by examining Bob's lock - your unauthorized key has to match both Bob's lock and Alice's key.

No? Maybe?

[OglinTatas]

Did you leave your oven on?

You bastard. Did you have to do that?

Having to social engineer more administrators

[tepples]

Is this really different than a "secret salt" [or key] that someone has to load into the server upon reboot?

It's a way to require a quorum of administrators to load the key.

why not just have an admin type in the secret salt that is hashed with each password?

Because then you have to social engineer one administrator. With PolyPassHash, you have to social engineer n administrators.

Re:Having to social engineer more administrators

[hawguy]

Is this really different than a "secret salt" [or key] that someone has to load into the server upon reboot?

It's a way to require a quorum of administrators to load the key.

why not just have an admin type in the secret salt that is hashed with each password?

Because then you have to social engineer one administrator. With PolyPassHash, you have to social engineer n administrators.

Doesn't this part of my post solve than problem?

The secret salt can be protected by N passwords (or maybe it's a hash of those N passwords)

Multiple $5 wrenches

[tepples]

The point of PolyPassHash is that instead of torturing one administrator with a $5 wrench, you have to torture n administrators at the same time with multiple $5 wrenches. This pushes the torture further into organized war crimes as defined in applicable treaties.

Re:Multiple $5 wrenches

That presumes a company would employ the n administrators. The likely process would be n administrators acting as n administrators. Or, an outsourced IT service having the n passwords stored in the clear for quick access.

Re:No? Maybe?

[holophrastic]

No. No I didn't.

Did you lock your car?

Clever, but easily subverted.

It's a clever solution. Don't store the password hashes, instead store a value which could be used to find the password hash *IF* you knew the coordinates of a certain line. Don't store the line on the server, instead, at boot time the server fails the first few people who try to log in (or at least slows them down) until it gathers enough information to figure out where the line is. An attacker who steals ALL data from the server (eg: steals the virtual machine image the server runs from) still can't even validate whether a password is correct because they don't have a stream of people with correct passwords trying to log in.

I think it is completely undermined by a very simple attack: the attacker simply needs to know several correct passwords (where "several" is around the same number as the number of logins needed before the server can correctly validate passwords after it boots up). Seems like you could just open dummy accounts on a system before you steal their data file, or after the fact try a few username-passwords gleaned off some other password leak, a substantial percentage of which will be people reusing passwords.

One version (described in the paper) had the system waiting for a certain number of administrators to log in before allowing the system to function. That seems clearly inferior to simply encrypting the entire data store and not functioning until an administrator logs in and enters the decryption key (which is then kept only in memory).

1 < n < m

[tepples]

PolyPassHash is a way of protecting what you call "the secret salt" with any n of m passwords, where 1 < n < m.

good engineering RIP

[epine]

Now a days you don't have to worry about [small sky falling], but you do have to worry about [large sky falling].

Once upon a time, real engineers solved the solvable problems in whatever order solid solutions presented themselves, so that presently unsolvable problems evolved into greater relief.

I thought it was a good system. Good engineering, RIP.

Re:1 n m

[hawguy]

PolyPassHash is a way of protecting what you call "the secret salt" with any n of m passwords, where 1 < n < m.

Ok, so that makes sense -- it really has nothing to do with protecting password hashes, it's just an "n of m split secret" algorithm.

call/cc

[istartedi]

Of course. They wrote it in Scheme and used call/cc wherever possible. Now nobody can get in because nobody can understand it, not even the guy who wrote it.

Re:call/cc

[david_thornley]

Way back when, there was a bulletin board system that the creators wanted to make impossible to effectively change, so the FBI would not be able to modify it to track individual users. It was written in Forth. APL was not readily available on small computers back then, or anything with call/cc.

Re:call/cc

[istartedi]

LOL, that's good too. It's my understanding that a good Forth program has simple words with relevant names. I can just imagine giving them misleading names and/or merging them into long functions. I love concatenative language and point-free style; but just like anything else they can be abused.

hunter2

1. Create four accounts with a known password
2. Retrieve password hashes/salts
3. Crack away

Nice idea, but doesn't add anything for systems which allow anyone to create an account. Correct me if I'm wrong, I only half read TFA.

You just nailed a HUGE problem, I think

[raymorris]

> Yeah, I think that's a problem. There shouldn't be any way to tell a "slightly wrong" password from any other wrong password.

I'm not sure, but I think you just identified a HUGE problem. I believe the paper says the admin can specify how close to correct it has to be, as in how many bytes are checked. So the attacker sets their copy to check only the first byte and tries A-Z, 0-9, and !-=. That takes a millisecond to try 80 characters or so. Once they know the first character, they set it to also check the second character. A ten character password would fall in about 10 milliseconds.

Rediculous

[ThatAblaze]

So this system would work for a web-server where a bunch of people are logging in all the time. It passes test #1: It can be implemented.

However, the security that this system imparts would only help for the first few (N - 1, depending on how many blocks are required to overlap) passwords. Once you have those first few passwords this system provides zero benefit, since you can use the passwords you know as keys to crack any future ones. If users can make user accounts then all you need to do is make N - 1 user accounts and you have completely defeated this system.

So this system creates a HUGE new constraint on your user management system: No accounts can ever be issued to any parties outside of your home trusted zone. I suppose there might be one situation in which this solution might be useful: classified government work. In all other situations this solution is worthless.

Re:Rediculous

[chuckugly]

""What about a service like Facebook or Gmail where anyone can register an account?" It is possible to use accounts that contribute to the line (threshold accounts) as a key to encrypt other account credentials (thresholdless account). So an attacker can know any number of those thresholdless accounts and cannot crack other thresholdless account or the threshold accounts."

Re:Rediculous

[ThatAblaze]

So basically users have to wait for someone in your home group to log in to be able to log in themselves? For public webservices they have far more regular users than they do public accounts.

Anyway, I take back what I said before about it being implementable. There is a huge flaw with validating user accounts in blocks: if anyone in the block enters invalid credentials then ALL users in that block will receive a password validation error. As a user it would be completely unacceptable to enter a password and then have to reenter because some other foolish user entered THEIR password wrong. Also, if someone started flooding the server with bad password attempts then it would be very difficult for anyone to log in ever.

Introduces a whole new method of attack = fail.

Re:Rediculous

[jiadran]

Thank you for pointing out one of the real flaws of the system! (sorry, no mod points)

There is another one: Since most people still use weak passwords (such as "password" and "123456"), if you have access to a password store, you can try a combination of user logins with the most likely passwords until you get a combination that is validated (I didn't run the numbers, but I bet it would hardly slow you down). Once you have that, you can use this to crack the rest of the passwords. So you wouldn't need to create fake accounts at all.

Re:Rediculous

[ThatAblaze]

Yes, you have a point. Although I do actually think that the classical rainbow table would fail there. Considering that with a classical rainbow table it is trivial to try, lets just say, 100 most common passwords. If those 100 don't work find a new user account and try again. With this method, however, it would actually be 10 billion combinations you would have to try, since you don't know which of the stupid passwords might correspond to which accounts. (Actually I think, knowing something about the math, that it would be less. I think that if you knew you were dealing with the same 5 users each time then the password wouldn't have to match that specific user. e.g. user A + pass 1 + user B pass 2 would be equivalent to user A pass 2 + user B pass 1).

However, that just defeats a single method of attack. Since we don't care about which accounts we use we could maybe look through the password hint field and find 5 people who set their password hint or challenge question to something that basically tells you the password, like "Shobiny and then the number seven" thinking they were clever. Don't allow password hints? Well.. there's another huge constraint.

I still think the worst part of this system is like I said above: While the system is running, any attempt to crack a password would essentially lock down the entire password management system for everyone, since chances are there would be at least one bad password in every block.

Nope, re-reading it, the threshold is static

[raymorris]

Disregard my post that is parent to this one. The threshold for weak authentication is set when the system is set up, and can't be adjusted by an attacker who has the database. (Modulo a non-obvious flaw, of course.)

Re:Bob's car won't start until Alice blows his Bre

[bluefoxlucid]

Alice's lock and Bob's key.

Even simpler

[Giant+Electronic+Bra]

Just store the state of the vector space that corresponds to proper initialization in some sort of HSM. As part of the boot process you load that into memory and you are now initialized and ready to do full-strength authentication. If the startup process for your system is properly implemented this shouldn't present any unusual security problem. Its probably possible to automate this kind of process as well (say if said HSM only outputs data, so it would actually generate a 'boot command' including the vector space state, and send it to the application shell on starup, then the HSM would shut down until your system was reset).

I don't think any of the objections I've seen raised here are really valid. This kind of scheme is certainly more work than simple hashed passwords, but at this point it kinda seems like those aren't really adequate anymore, eh?

Re:Even simpler

[Rich0]

Just store the state of the vector space that corresponds to proper initialization in some sort of HSM. As part of the boot process you load that into memory and you are now initialized and ready to do full-strength authentication.

If you're willing to do that, then just encrypt the password file and store the key in an HSM. Having the initialization vector is equivalent to having the password file with just conventional hashes.

I guess the advantage with this system is that if you have to restore from a backup tape after physical loss of the HSM then you can recover the file by just having a bunch of accounts log in.

Of course, if the attacker has a bunch of valid accounts on the system, then he can do the same thing and get the hashes...

Re:Even simpler

[Giant+Electronic+Bra]

Just store the state of the vector space that corresponds to proper initialization in some sort of HSM. As part of the boot process you load that into memory and you are now initialized and ready to do full-strength authentication.

If you're willing to do that, then just encrypt the password file and store the key in an HSM. Having the initialization vector is equivalent to having the password file with just conventional hashes.

I guess the advantage with this system is that if you have to restore from a backup tape after physical loss of the HSM then you can recover the file by just having a bunch of accounts log in.

Of course, if the attacker has a bunch of valid accounts on the system, then he can do the same thing and get the hashes...

The cure for that was in the paper, only specific accounts would be able to perform the initialization. Other accounts can authenticate, but they won't contribute to the initial setup of the vector space.

I suppose in essence you are correct, you could encrypt the whole file. So it just comes down to which is more convenient presumably.

In the real world its simpler

[Giant+Electronic+Bra]

99.9999% of all web applications, even the most incredibly custom stuff, uses a known framework that uses a known type of hashing and a salt that is stored in some standard place. Thus you don't really have to do any super complicated legwork. Even if you aren't SURE what your target is using there aren't that many choices and you can guess that MOST PHP programs use X, and most things deployed on JBoss use Y, and etc. looking at the length and form of the hash can often reduce the problem as well. If you can create an account on the victim system beforehand you have a known plaintext to play with also, which will give you your answer instantly assuming you have the salt or salting algo.

"What about a service like Facebook or Gmail where

[sberge]

anyone can register an account?"

FAQ says:

It is possible to use accounts that contribute to the line (threshold accounts) as a key to encrypt other account credentials (thresholdless account). So an attacker can know any number of those thresholdless accounts and cannot crack other thresholdless account or the threshold accounts.

Can somebody please reexplain this in a way that a dumb child would understand?

Matrix

The crew of the Logos must destroy a power plant to prevent a security system from being triggered, and the crew of the Vigilant must destroy a back-up power station.... so they can use the key while the system is being rebooted.

BAM hacked! lol

Re:"What about a service like Facebook or Gmail wh

Can somebody please reexplain this in a way that a dumb child would understand?

Must crack some admin passwords first to crack password for gmail / facebook users.

I don't get it.

If someone can access hashes of passwords, they can access the data itself. If the data is encrypted, it is encrypted via a chain of weaker and weaker things that end with the user's 6-char password. Thus it is equally crackable.
What they did is they encrypted the data with more than a single 6-digit string.
This is old news. You can use a smartcard, if you are smart, to have 1024bits or more of secrets.
Some fancy math. But nothing new. Safes have been locked with three or more separate keys since forever.

Hmm

By that time, computers will be powerful enough to break it anyway.

good, but quote the numbers

" it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. "

It is a good thing. Wow factor aside, but is there a number, even if we measure in units of the universe's estimated age?

Requires good password rules

[purplie]

If 1/10 of users use "password" as the password, randomly pick a set of N users (where N is the "threshold", they suggest a small number like 1
To another point, if only administrators have threshold accounts, this has the same result (and is more complicated) than using Secret Sharing to have N administrators share an ordinary encryption key (which would then be retained only in memory) for encrypting the salted hashes.

BTW look toward the bottom of the paper for a nice roundup of alternative techniques.

MOD UP PARENT

Are you some weird kind of illiterate where you can write but not read, or are you just too arrogant to read the comment you're replying to?

I guess it is easier to write a comment that way. If gweirdih had read what he was replying to, he'd have seen that the parent post completely destroyed the point gweirdhi was trying to make.

Meh.

[TheSHAD0W]

Near as I can tell, this is equivalent to a system which stores the hashes in an encrypted form, except the encryption relies on the passwords of other users rather than an administrator's password. This may IMO make this system less secure, depending on how public the interface is; an attacker could sign up with multiple accounts on the system before grabbing a copy of the encrypted hashes. They would then have a set of passwords which could be used to validate additional ones.

Great idea in theory, pointless in the real world

[ramriot]

After reading though their paper and getting a better understanding of the exact protocols etc. I can say assuredly that this method of protecting a database from use-after-theft is pointless.

Here is my reasoning (Ignoring the possible patch to allow pre-knowledge authentication for now, as that leaks way too much information);
1/ The whole system relies on the use of a threshold system of password login attempts to dynamically build the in-memory database decryption key.
2/ That can either happen by one or more administrators attempting login after restart or by using a queued user authentication stack.
3/ In their own FAQ they state that weak passwords should be avoided as this weakens the system.

My assertion is that any real world use of this system is open to humans picking passwords, and humans are really bad at that. That being so, if I were to run an SQL injection to steal the user table I would do the following:-

a) From a dictionary of common "non-weak" human passwords (see recent thefts for the list) pick a password.
b) Run it using the sites hash, using the record salt against every entry, producing a possible hash Hp.
c) XOR that with the hash in the table to get a possible Shamir share Sp.
d) pick random lists of Sp and combine (derive constant from equasion) to see if a statistically significant number of entries agree on a table key C and the share ratio R.
e) If not successful, rinse and repeat with another password and/or repeat to confirm C.

This algorithm should under any normal use derive C in quite short order provided there are at least R+1 repeats of any provided password guess.

If Zontar gets infinite meds? There's hope!

Zontar's "touched in the head": schizophrenic multiple personality disorder http://slashdot.org/comments.p... + manic depression http://slashdot.org/comments.p... now go take those meds, you whacko!

Zontar = sockpuppeteer & lying libeler

"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...

You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.

Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!

---

You avoided backing up your accusation where YOU said I say you are Barbara, not Barbie = TomHudson (same person http://tech.slashdot.org/comme... , & sockpuppeteer like you) -> http://slashdot.org/comments.p...

Funny you can't back up your "bluster" there either, lol...

---

Why, Lastly?

You're crackers! See here multiple personality disorder http://slashdot.org/comments.p... + manic depression http://slashdot.org/comments.p...

APK

P.S.=> So, THIS quote below is my policy on sockpuppeteers like you Zontar = TrollingForHostsFiles (your sockpuppetry):

"The only way to a achieve peace, is thru the ELIMINATION of those who would perpetuate war (sockpuppet masters like YOU, troll -> http://slashdot.org/comments.p... ). THIS IS MY PROGRAMMING -> http://start64.com/index.php?o... & soon, I will be UNSTOPPABLE..." - Ultron 6 FROM -> http://www.youtube.com/watch?v...

Which quite obviously, I am, since none of you DOLTISH TROLLS are able to validly technically disprove my points on hosts enumerated in the link to my program above of how hosts give users of them more speed, security, reliability, & anonymity... period!

(Trolls like YOU that use sockpuppets http://slashdot.org/comments.p... (your sockpuppet "alterego" TrollingForHostsFiles) & TomHudson - Barbara, not Barbie too http://tech.slashdot.org/comme... before you)

... apk