NYU Group Says Its Scheme Makes Cracking Individual Passwords Impossible

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

Hmm

[war4peace]

Maybe I should look at this implementation for my upcoming MMO, which will likely go live somewhere in 2030 :)

Re:WTF?

[g0bshiTe]

I call it, "Monkey Improbability Hacking".

I'll lease it to you for the low low price of .0000024 btc

longer to crack than the age of the universe?

[aneroid]

...it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist.

Let's hope they're not creationists.

Re:Clarification

[VortexCortex]

I fucking love this!

I hope every web company uses it. That way when users realize their boycotts have the potential power of cascading effects they'll finally have to bow to our demands and implement a better password system!

No? Maybe?

[OglinTatas]

Did you leave your oven on?

You bastard. Did you have to do that?

Re:This idea is really BS

[Hognoxious]

Get them to write their passwords on a post-it(tm) note and stick it to the server.

Do I have to do all the thinking around here?

Re:WTF?

[Lumpy]

Plus the monkeys smell better.

Re:WTF?

[Zontar+The+Mindless]

Somebody actually gets what "infinite" actually means.

Perhaps there is hope for the human race, after all.

Re:WTF?

[pushing-robot]

That was a flaw with early experiments, but we've since worked it out. With our updated business model, we only provide you with one monkey and typewriter in this universe. At the same time, in each of infinite parallel universes, the parallel 'we' give the parallel 'you' a monkey and typewriter as well. Each typewriter is equipped with a lovingly crafted and painstakingly entangled transceiver to broadcast and monitor an infinity of random typing, listening and waiting for your answer to ephemerally cross its antenna.

Great news! It's statistically certain that one of the infinite monkeys has already typed the answer you seek. However, due to information propagation delays, it may take between zero and infinite time to reach your universe. Rest assured, though, it's on its way. While you wait, please enjoy your monkey. And typewriter.

Thank you for your business!