Slashdot Mirror

← Back to Stories (view on slashdot.org)

NYU Group Says Its Scheme Makes Cracking Individual Passwords Impossible

Posted by timothy on from the impossible-is-difficult dept.

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

44 of 277 comments (clear)

  1. Hmm by war4peace · · Score: 5, Funny

    Maybe I should look at this implementation for my upcoming MMO, which will likely go live somewhere in 2030 :)

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  2. WTF? by JMZero · · Score: 3, Insightful

    To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password. And it didn't take all the computers in the universe forever to do so.

    Maybe this is a great system, but the hyperbole in the summary is ridiculous.

    --
    Let's not stir that bag of worms...
    1. Re:WTF? by pastafazou · · Score: 3, Insightful

      Posit: An infinite number of monkeys on an infinite number of keyboards will eventually crack all your passwords.

    2. Re:WTF? by CastIronStove · · Score: 5, Insightful

      Instantly, since all possible combinations will occur simultaneously.

    3. Re:WTF? by Geoffrey.landis · · Score: 4, Interesting

      To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password.

      No, as I understand it from the article, you can't tell if a single user password is correct, because you don't have a measure for "correct"-- all that you check whether that password points to the same place (in a multidimensional phase space) that other passwords project to. (It does seems to only work is you can assuming that all, or at least "most," of the other passwords people enter are correct).

      --
      http://www.geoffreylandis.com
    4. Re:WTF? by g0bshiTe · · Score: 4, Funny

      I call it, "Monkey Improbability Hacking".

      I'll lease it to you for the low low price of .0000024 btc

      --
      I am Bennett Haselton! I am Bennett Haselton!
    5. Re:WTF? by Chris+Mattern · · Score: 4, Insightful

      So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords).

      No, it doesn't work that way; that's the whole point. If you have the hash and are trying to compare against it, you can't just try all the possible passwords because if haven't cracked the other passwords you don't know how to produce the hash that corresponds to a given password. If you're just trying passwords at a login prompt, brute force is trivial to defeat (best method will most likely be simply imposing an increasing login delay with each wrong attempt).

    6. Re:WTF? by parallel_prankster · · Score: 4, Informative

      Yes, did you RTFA? They specifically mention that this step is needed everytime the system boots. They have also provided some ideas on how to achieve this automatically.

    7. Re:WTF? by JMZero · · Score: 2

      Yeah - I was wrong. I had assumed that the system would need to be able to log in a single user based on their password (crazy me!) and that was incorrect.

      --
      Let's not stir that bag of worms...
    8. Re:WTF? by khasim · · Score: 2

      More like you have the hashes for all the passwords (you downloaded it when you cracked their server).

      And you have ONE password that you created on their system. So you have a password and a hash for that password. From which you can probably deduce the "salt" used.

      But you cannot get the passwords from the other hashes because they each use a different "salt".

      The problem is that the "salt" for each password is calculated by that machine based upon "special" accounts providing correct passwords that provide the information needed to generate the line that is used instead of a traditional "salt".

      Which means that those "special" accounts are now ONE SET of keys to cracking that entire system. And they have to be secured.

      And I'm still not convinced that, given enough passwords, their system does not fail anyway. And password re-use is a major problem with users and their passwords.

    9. Re:WTF? by donaldm · · Score: 2
      Actually if a cracker wanted to get a user's password all they need to do is contact the target in a so called official manner stating that they think that their account has been compromised and they need their password to check. Surprisingly many people would actually fall for this so a cracker would prefer to use social engineering to get a password rather than try the brute force method which would normally raise alarm bells with System Administrators. Of course this assumes that the System Administrators of a targeted machine have some level of competence and integrity.

      Actually brute force cracking is the stuff of Hollywood movies since most operating systems have a policy that is set to 3 or 4 strikes and the account is locked. Although I have seen sites were this was not enforced. Of course there are ways of restricting access even further such as one time passwords but the problem of security is still the weakest link in the chain and that is the user.

      Maybe this is a great system, but the hyperbole in the summary is ridiculous.

      Could not agree more.

      --
      There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
    10. Re:WTF? by Anonymous Coward · · Score: 5, Insightful

      Even if all of them typed the same thing the rest of them would type the other combinations.

    11. Re:WTF? by Kjella · · Score: 4, Informative

      Does it come with an actual monkey? I wouldn't want to end up with an MSCE or some other poor substitute, monkeys are both cuter and put less shit on your servers. Of course both could be replaced by a very small shell script. but I need one for the head count and scripts run headless so that won't do.

      --
      Live today, because you never know what tomorrow brings
    12. Re:WTF? by kasperd · · Score: 3, Informative

      So... how do you know if a user can log in? You have to wait until a bunch of users want to log in simultaneously?

      Exactly. The first of those users will experience the password validation taking longer than usual. How much longer depends on various parameters in the system. If some of the users gave up and closed the connection, you still have the information needed for unlocking, so you don't need all of those users to log in simultaneously. You just need enough different users trying to log in after a restart. Once the threshold is reached, that user will get logged in after having to wait at most a couple of seconds. Earlier users will get logged in at the same time if they are still waiting.

      But I suspect you might be able to DoS that process by just submitting a stream of invalid passwords. They may be able to avoid that through the partial validation described in the paper, but the partial validation sounds like it leaks so much information, I would rather trust an old-school salted hash.

      --

      Do you care about the security of your wireless mouse?
    13. Re:WTF? by Cenan · · Score: 3, Insightful

      Hook the keyboards up in parallel and combine all the inputs to produce infinite outputs and you get instant monkey cracking. Thought now you're stuck with infinite monkeys with nothing to do.

      --
      ... whatever ...
    14. Re:WTF? by Cenan · · Score: 2, Insightful

      There is nothing to suggest that an infinite amount of monkeys wont produce an infinite amount of "a"s. Adding more monkeys could produce more "a"s.

      --
      ... whatever ...
    15. Re:WTF? by Lumpy · · Score: 3, Funny

      Plus the monkeys smell better.

      --
      Do not look at laser with remaining good eye.
    16. Re:WTF? by Zontar+The+Mindless · · Score: 2, Funny

      Somebody actually gets what "infinite" actually means.

      Perhaps there is hope for the human race, after all.

      --
      Il n'y a pas de Planet B.
    17. Re:WTF? by pushing-robot · · Score: 4, Funny

      That was a flaw with early experiments, but we've since worked it out. With our updated business model, we only provide you with one monkey and typewriter in this universe. At the same time, in each of infinite parallel universes, the parallel 'we' give the parallel 'you' a monkey and typewriter as well. Each typewriter is equipped with a lovingly crafted and painstakingly entangled transceiver to broadcast and monitor an infinity of random typing, listening and waiting for your answer to ephemerally cross its antenna.

      Great news! It's statistically certain that one of the infinite monkeys has already typed the answer you seek. However, due to information propagation delays, it may take between zero and infinite time to reach your universe. Rest assured, though, it's on its way. While you wait, please enjoy your monkey. And typewriter.

      Thank you for your business!

      --
      How can I believe you when you tell me what I don't want to hear?
  3. Any Excuse? Yes. by holophrastic · · Score: 5, Insightful

    Security isn't about safety. The vast majority of passwords are for identification, rather than security. And the ones that are for security, are for a "reasonable" amount of security. The biggest point is to make breaking it an obviously-intentional exercise -- because that can be made illegal. It's not about stopping criminals. It's about defining criminals.

    So go ahead and make your twitter account password super-secure so that no one can ever hack in. And then go home to your cylinder lock, easily pickable, next to the big glass window. Then tell us how safe you are -- remembering that whether or not you keep your twitter password on a sticky note, and whether or not your desktop e-mail is accessible within your home without a password, your children and your wife, and your dog are sleeping behind not such password.

    And any locksmith can break into any car, as a ten-second paid-for emergency service. And so can anyone who's watched them do it.

    Stop trying to feel safe. Just feel safe. It's a lot easier, cheaper, and much more valid.

    Did you leave your oven on?

  4. That's a nice technical solution you have there by H3lldr0p · · Score: 2

    The problem is a human one, however.

    Yes, this makes it harder should someone get to your stored hashes. But it doesn't make it any more secure if people continue to use "123ABC" as a password. Which they will do since that's an easy thing to remember.

    1. Re:That's a nice technical solution you have there by squiggleslash · · Score: 3, Informative

      Just to make it clear, because a lot of posters here appear to be confused as to what this is for:

      This isn't about securing individual passwords. This is about securing collections of passwords and doing something about situations where some website's master table of usernames and hashed passwords gets leaked, somehow.

      Right now, when that happens, people with the password "123ABC" (or "password" or "secret" or whatever) are easily identifiable because you can look for the hashes of those texts amongst the passwords.

      However, with this technology, you would need to already know a large number of existing username/password combinations before you could begin to look for users with easily guessed passwords.

      How secure is it? Well, put it this way: if the system is rebooted, then it won't become available until a large enough body of users has tried to log in...

      --
      You are not alone. This is not normal. None of this is normal.
  5. Clarification by JMZero · · Score: 5, Interesting

    So it turns out their system, after a reboot, can't just validate a single user (I guess that was a crazy assumption on my part) - it has to have logins from a number of users before it can authenticate anyone. And if you don't want the system breakable by someone just creating a bunch of accounts (eg. normal users on a public website), these prime logins have to be more "special accounts".

    Practically, if you need some special logins after every reboot in order for the system to come online, you're going to have to have multiple people assigned this job. Or one person with N passwords he logs in with. In which case, why not just give that guy a one time pad sort of thing that he primes each server with? I mean, these passwords are going to be unrecoverable and encrypted with, effectively, an unchanging key. So... uh, we have ways to do that.

    Oh wait, there's an extension that gets around this, and has the property of "the server can check and eliminate most wrong passwords right after reboot". I'm sure a lot of bosses will like that - it'll reject most wrong passwords. Great.

    It's a clever idea, but I think there's some real hard sell problems there.

    --
    Let's not stir that bag of worms...
    1. Re:Clarification by MarcoAtWork · · Score: 3, Insightful

      why would you need multiple people assigned to this job? seems to me if you are really concerned you could 'prime' this system by using an attached HSM with however many random accounts/passwords you'd like to be logged in at bootup: outside of somebody physically breaking into your server room and stealing your keycard it would seem quite secure to me...

      --
      -- the cake is a lie
    2. Re:Clarification by JMZero · · Score: 2

      Yeah - but that system would have nothing to do with this. If you want to do that, it's cool and it'll work.

      The interesting part of THIS system is that it can recover the secret it needs just by having multiple users authenticate. Which is a really cool property for some possible purpose, but I don't see how it fits well with the requirements of a "normal" authentication system and how that needs to respond.

      --
      Let's not stir that bag of worms...
    3. Re:Clarification by VortexCortex · · Score: 3, Funny

      I fucking love this!

      I hope every web company uses it. That way when users realize their boycotts have the potential power of cascading effects they'll finally have to bow to our demands and implement a better password system!

  6. Re:This idea is really BS by Anonymous Coward · · Score: 2, Informative

    This scheme fails in practice (another over-hyped idea that fails to deliver as has gotten so common these days): It requires a number n of users to log-in before any password can be checked! That is right, the first n-1 have to wait until n are there, because before n good (!) passwords are available to the server, it cannot verify even one.

    You must have skipped reading TFA. The "different" logins can be administrative passwords, so that whenever a login is attempted, the user passwords is only one of multiple passwords, where the other passwords can be administrative passwords. The point is to make the password file, when stolen, be safer. If you do not have aceess to the administrative passwords, the cracking of the passwords from the stolen file gets too computationally intensive.

  7. Running memory by holophrastic · · Score: 3, Informative

    The article says: "if an attacker can read memory on a running server, they can steal passwords unencrypted regardless of the technique that is used".

    The article concludes that al we're trying to do is to resist passwords stored on-disk. Congrats. So here's my fix-all solution. When the server is booted, it loads all of the passwords into memory, and then physically disconnects the disk. And we're done. You know, except for the whole entire memory space.

    This is just another one of those "make this link in the chain even stronger because once someone broke through it" forgetting that there are dozens of other weaker links that simply have yet to be targetted.

  8. longer to crack than the age of the universe? by aneroid · · Score: 5, Funny

    ...it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist.

    Let's hope they're not creationists.

    1. Re:longer to crack than the age of the universe? by steelfood · · Score: 2

      10K years is more than enough for anybody.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  9. SRP (Secure Remote Protocol) by kye4u · · Score: 4, Interesting

    That problem is already solved. It is called SRP With SRP, even if the attacker has full access to the host, they cannot reverse engineer the passphrase.

    1. Re:SRP (Secure Remote Protocol) by Anonymous Coward · · Score: 2, Informative

      Sadly thats not true. When the attacker has the password database SRP degrades to being just a regular salted password.

  10. really? by amaupin · · Score: 2, Interesting

    To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour.

    Really? Okay, here are three NONrandom 6 character passwords that are stored using standard salted secure hashes:

    a44a6d60ebc202a7d296d82a7eac5748b7a93474c996e533795d769b297e613c
    5529ce75d4bf3bc7b488c8591906cc39bf5ac90feeeb9fbc278b0f98e03cafc6
    9de700d2bc4fa3ed30a3459a9cffd7785c10f465c5b9cfb4a83d417e9347f0f9

    Start your laptops, gentlemen. I'll even give you a hint. The first password is 123456. The second is abcdef.

  11. Re:This idea is really BS by RKThoadan · · Score: 2

    While I'm not necessarily all that impressed by this, your specific criticism doesn't seem to be valid. It appears that n accounts are pre-created with null information and assigned out as needed. When those are about to get used up another n are created. There would appear to be a possible attack on a new account by creating lots of dummy accounts to have a big chunk of the password space under your control, but that seems like a pretty uncommon circumstance.

    What I like about it is that it seems to protect stupid users from themselves. All the salt in the world doesn't do much for people who just use "password" for their password. It will still fall in the blink of an eye. We often seem to have the opinion that they deserve it for choosing a poor password, but it's still a compromised account.

    The threat model is very limited to "attacker got the password hashes", but that is a common threat currently. If you're going to pick one, that's not a bad choice. It's biggest issue may be if tomorrows threat model is significantly different.

  12. Is this different than a "secret salt"? by hawguy · · Score: 2

    Is this really different than a "secret salt" that someone has to load into the server upon reboot?

    Instead of requiring N correct passwords to let the server build up its Shamir Secret Store data structure that lets it validate passwords, why not just have an admin type in the secret salt that is hashed with each password?

    Without that secret salt, the password file is useless. The secret salt can be protected by N passwords (or maybe it's a hash of those N passwords) just like the Shamir Secret Store data, the only difference is that instead of the server computing it the secret data, the administrator(s) types it in directly. If someone can compromise the server to get the secret salt (or can social engineer the administrator password(s), they can also get to the Shamir Secret Store data, so it doesn't seem any less secure.

  13. Crypto pointless now it seems. by DarthVain · · Score: 3, Interesting

    Crypto is being supplanted by a lack of rights.

    Ob. XKCD:
    http://xkcd.com/538/

    Now a days you don't have to worry so much about some criminal beating you with a wrench, however you do have to worry about the NSA going to everywhere you actually store information online and forcing them to give the information over "voluntarily" by creating laws under some pretense and threatening legal repercussions, or by just doing it illegally anyway using the usual scare tactics. The same can happen to you personally, and they can pretty much throw you in jail for an infinite amount of time until you produce the password in question anyway.

    Anyway criminals are NOT brute forcing huge lists of passwords in the first place. They either take advantage of terrible security in the first place (Hey lets store all the passwords in an unencrypted text file which anyone can access if they know where to look!), software vulnerabilities (Hey your password is super safe, too bad there is that gaping security flaw that lets people bypass passwords altogether!), or social engineering (Hey sure I will give out your password, I'm an IT guy that gets paid 10$ an hour and I really don't give a shit anyway).

    So while in an interesting sort of puzzle way this is neat, the actual protections it will afford you is probably very little.

  14. Special accounts not required by raymorris · · Score: 2

    There's no requirement for "special" accounts, though that could be used.

    The other option is to just allow your regular users logging in after a reboot to hit the threshold. This would be good for a busy site, where 1,000 users try to log in sooner than an admin can be alerted. That brings up the question of how you authenticate those first N users. The solution is the paper allows a weak authentication before the threshold is hit, so the server could allow "slightly wrong" passwords for the first 30-60 seconds after it starts up.

    1. Re:Special accounts not required by khasim · · Score: 2

      The solution is the paper allows a weak authentication before the threshold is hit, so the server could allow "slightly wrong" passwords for the first 30-60 seconds after it starts up.

      Yeah, I think that's a problem. There shouldn't be any way to tell a "slightly wrong" password from any other wrong password.

      That brings up the question of how you authenticate those first N users.

      Which is a different problem with that approach.

      They could have also had the server admin type in the formula for the line that the system will use.

      About the only issue this "solves" is having ONE secret that has to be shared between the admins. So you won't have the "disgruntled" problem. Each admin gets his/her own portion of the secret.

      Just like requiring two keys to launch a missile.

  15. Re:This idea is really BS by tepples · · Score: 2

    Good luck contacting the administrators every time you have to reboot any of the servers, especially if it's night in their time zone.

  16. No? Maybe? by OglinTatas · · Score: 4, Funny

    Did you leave your oven on?

    You bastard. Did you have to do that?

    --
    More music, fewer hits
  17. Having to social engineer more administrators by tepples · · Score: 2

    Is this really different than a "secret salt" [or key] that someone has to load into the server upon reboot?

    It's a way to require a quorum of administrators to load the key.

    why not just have an admin type in the secret salt that is hashed with each password?

    Because then you have to social engineer one administrator. With PolyPassHash, you have to social engineer n administrators.

  18. Re:This idea is really BS by Hognoxious · · Score: 4, Funny

    Get them to write their passwords on a post-it(tm) note and stick it to the server.

    Do I have to do all the thinking around here?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  19. Re:This idea is really BS by gweihir · · Score: 2

    That completely breaks security, as these passwords have to come from some place and are vulnerable there. Or it means that a large number of people (remember that it requires n users for a security-factor of n?) have to log-in (or rather attempt to) manually.

    Sorry, but you do not understand the security and attacker models at work here at all. Sure, this thing looks like a good idea, but only as long as you ignore reality. And BTW, whenever has a server password-list stolen from a not-running server or at boot-time?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  20. Rediculous by ThatAblaze · · Score: 3, Interesting

    So this system would work for a web-server where a bunch of people are logging in all the time. It passes test #1: It can be implemented.

    However, the security that this system imparts would only help for the first few (N - 1, depending on how many blocks are required to overlap) passwords. Once you have those first few passwords this system provides zero benefit, since you can use the passwords you know as keys to crack any future ones. If users can make user accounts then all you need to do is make N - 1 user accounts and you have completely defeated this system.

    So this system creates a HUGE new constraint on your user management system: No accounts can ever be issued to any parties outside of your home trusted zone. I suppose there might be one situation in which this solution might be useful: classified government work. In all other situations this solution is worthless.