Slashdot Mirror

← Back to Stories (view on slashdot.org)

NYU Group Says Its Scheme Makes Cracking Individual Passwords Impossible

Posted by timothy on from the impossible-is-difficult dept.

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

4 of 277 comments (clear)

  1. Re:WTF? by CastIronStove · · Score: 5, Insightful

    Instantly, since all possible combinations will occur simultaneously.

  2. Any Excuse? Yes. by holophrastic · · Score: 5, Insightful

    Security isn't about safety. The vast majority of passwords are for identification, rather than security. And the ones that are for security, are for a "reasonable" amount of security. The biggest point is to make breaking it an obviously-intentional exercise -- because that can be made illegal. It's not about stopping criminals. It's about defining criminals.

    So go ahead and make your twitter account password super-secure so that no one can ever hack in. And then go home to your cylinder lock, easily pickable, next to the big glass window. Then tell us how safe you are -- remembering that whether or not you keep your twitter password on a sticky note, and whether or not your desktop e-mail is accessible within your home without a password, your children and your wife, and your dog are sleeping behind not such password.

    And any locksmith can break into any car, as a ten-second paid-for emergency service. And so can anyone who's watched them do it.

    Stop trying to feel safe. Just feel safe. It's a lot easier, cheaper, and much more valid.

    Did you leave your oven on?

  3. Re:WTF? by Chris+Mattern · · Score: 4, Insightful

    So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords).

    No, it doesn't work that way; that's the whole point. If you have the hash and are trying to compare against it, you can't just try all the possible passwords because if haven't cracked the other passwords you don't know how to produce the hash that corresponds to a given password. If you're just trying passwords at a login prompt, brute force is trivial to defeat (best method will most likely be simply imposing an increasing login delay with each wrong attempt).

  4. Re:WTF? by Anonymous Coward · · Score: 5, Insightful

    Even if all of them typed the same thing the rest of them would type the other combinations.