NYU Group Says Its Scheme Makes Cracking Individual Passwords Impossible

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

Hmm

[war4peace]

Maybe I should look at this implementation for my upcoming MMO, which will likely go live somewhere in 2030 :)

WTF?

[JMZero]

To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password. And it didn't take all the computers in the universe forever to do so.

Maybe this is a great system, but the hyperbole in the summary is ridiculous.

Re:WTF?

[pastafazou]

Posit: An infinite number of monkeys on an infinite number of keyboards will eventually crack all your passwords.

Re:WTF?

[CastIronStove]

Instantly, since all possible combinations will occur simultaneously.

Re:WTF?

[Geoffrey.landis]

To be useful, the system still needs to be able to tell whether a single user password is correct (and needs to do so reasonably efficiently). So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords). Either lots of them work (which would a problem) or you found the password.

No, as I understand it from the article, you can't tell if a single user password is correct, because you don't have a measure for "correct"-- all that you check whether that password points to the same place (in a multidimensional phase space) that other passwords project to. (It does seems to only work is you can assuming that all, or at least "most," of the other passwords people enter are correct).

Re:WTF?

[g0bshiTe]

I call it, "Monkey Improbability Hacking".

I'll lease it to you for the low low price of .0000024 btc

Re:WTF?

[Chris+Mattern]

So if someone has a 6 character password (which is dumb) you can just try all possible passwords (there isn't that many possible 6 realistic character passwords).

No, it doesn't work that way; that's the whole point. If you have the hash and are trying to compare against it, you can't just try all the possible passwords because if haven't cracked the other passwords you don't know how to produce the hash that corresponds to a given password. If you're just trying passwords at a login prompt, brute force is trivial to defeat (best method will most likely be simply imposing an increasing login delay with each wrong attempt).

Re:WTF?

[parallel_prankster]

Yes, did you RTFA? They specifically mention that this step is needed everytime the system boots. They have also provided some ideas on how to achieve this automatically.

Re:WTF?

Even if all of them typed the same thing the rest of them would type the other combinations.

Re:WTF?

[Kjella]

Does it come with an actual monkey? I wouldn't want to end up with an MSCE or some other poor substitute, monkeys are both cuter and put less shit on your servers. Of course both could be replaced by a very small shell script. but I need one for the head count and scripts run headless so that won't do.

Re:WTF?

[kasperd]

So... how do you know if a user can log in? You have to wait until a bunch of users want to log in simultaneously?

Exactly. The first of those users will experience the password validation taking longer than usual. How much longer depends on various parameters in the system. If some of the users gave up and closed the connection, you still have the information needed for unlocking, so you don't need all of those users to log in simultaneously. You just need enough different users trying to log in after a restart. Once the threshold is reached, that user will get logged in after having to wait at most a couple of seconds. Earlier users will get logged in at the same time if they are still waiting.

But I suspect you might be able to DoS that process by just submitting a stream of invalid passwords. They may be able to avoid that through the partial validation described in the paper, but the partial validation sounds like it leaks so much information, I would rather trust an old-school salted hash.

Re:WTF?

[Cenan]

Hook the keyboards up in parallel and combine all the inputs to produce infinite outputs and you get instant monkey cracking. Thought now you're stuck with infinite monkeys with nothing to do.

Re:WTF?

[Lumpy]

Plus the monkeys smell better.

Re:WTF?

[pushing-robot]

That was a flaw with early experiments, but we've since worked it out. With our updated business model, we only provide you with one monkey and typewriter in this universe. At the same time, in each of infinite parallel universes, the parallel 'we' give the parallel 'you' a monkey and typewriter as well. Each typewriter is equipped with a lovingly crafted and painstakingly entangled transceiver to broadcast and monitor an infinity of random typing, listening and waiting for your answer to ephemerally cross its antenna.

Great news! It's statistically certain that one of the infinite monkeys has already typed the answer you seek. However, due to information propagation delays, it may take between zero and infinite time to reach your universe. Rest assured, though, it's on its way. While you wait, please enjoy your monkey. And typewriter.

Thank you for your business!

Any Excuse? Yes.

[holophrastic]

Security isn't about safety. The vast majority of passwords are for identification, rather than security. And the ones that are for security, are for a "reasonable" amount of security. The biggest point is to make breaking it an obviously-intentional exercise -- because that can be made illegal. It's not about stopping criminals. It's about defining criminals.

So go ahead and make your twitter account password super-secure so that no one can ever hack in. And then go home to your cylinder lock, easily pickable, next to the big glass window. Then tell us how safe you are -- remembering that whether or not you keep your twitter password on a sticky note, and whether or not your desktop e-mail is accessible within your home without a password, your children and your wife, and your dog are sleeping behind not such password.

And any locksmith can break into any car, as a ten-second paid-for emergency service. And so can anyone who's watched them do it.

Stop trying to feel safe. Just feel safe. It's a lot easier, cheaper, and much more valid.

Did you leave your oven on?

Clarification

[JMZero]

So it turns out their system, after a reboot, can't just validate a single user (I guess that was a crazy assumption on my part) - it has to have logins from a number of users before it can authenticate anyone. And if you don't want the system breakable by someone just creating a bunch of accounts (eg. normal users on a public website), these prime logins have to be more "special accounts".

Practically, if you need some special logins after every reboot in order for the system to come online, you're going to have to have multiple people assigned this job. Or one person with N passwords he logs in with. In which case, why not just give that guy a one time pad sort of thing that he primes each server with? I mean, these passwords are going to be unrecoverable and encrypted with, effectively, an unchanging key. So... uh, we have ways to do that.

Oh wait, there's an extension that gets around this, and has the property of "the server can check and eliminate most wrong passwords right after reboot". I'm sure a lot of bosses will like that - it'll reject most wrong passwords. Great.

It's a clever idea, but I think there's some real hard sell problems there.

Re:Clarification

[MarcoAtWork]

why would you need multiple people assigned to this job? seems to me if you are really concerned you could 'prime' this system by using an attached HSM with however many random accounts/passwords you'd like to be logged in at bootup: outside of somebody physically breaking into your server room and stealing your keycard it would seem quite secure to me...

Re:Clarification

[VortexCortex]

I fucking love this!

I hope every web company uses it. That way when users realize their boycotts have the potential power of cascading effects they'll finally have to bow to our demands and implement a better password system!

Running memory

[holophrastic]

The article says: "if an attacker can read memory on a running server, they can steal passwords unencrypted regardless of the technique that is used".

The article concludes that al we're trying to do is to resist passwords stored on-disk. Congrats. So here's my fix-all solution. When the server is booted, it loads all of the passwords into memory, and then physically disconnects the disk. And we're done. You know, except for the whole entire memory space.

This is just another one of those "make this link in the chain even stronger because once someone broke through it" forgetting that there are dozens of other weaker links that simply have yet to be targetted.

longer to crack than the age of the universe?

[aneroid]

...it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist.

Let's hope they're not creationists.

SRP (Secure Remote Protocol)

[kye4u]

That problem is already solved. It is called SRP With SRP, even if the attacker has full access to the host, they cannot reverse engineer the passphrase.

Crypto pointless now it seems.

[DarthVain]

Crypto is being supplanted by a lack of rights.

Ob. XKCD:
http://xkcd.com/538/

Now a days you don't have to worry so much about some criminal beating you with a wrench, however you do have to worry about the NSA going to everywhere you actually store information online and forcing them to give the information over "voluntarily" by creating laws under some pretense and threatening legal repercussions, or by just doing it illegally anyway using the usual scare tactics. The same can happen to you personally, and they can pretty much throw you in jail for an infinite amount of time until you produce the password in question anyway.

Anyway criminals are NOT brute forcing huge lists of passwords in the first place. They either take advantage of terrible security in the first place (Hey lets store all the passwords in an unencrypted text file which anyone can access if they know where to look!), software vulnerabilities (Hey your password is super safe, too bad there is that gaping security flaw that lets people bypass passwords altogether!), or social engineering (Hey sure I will give out your password, I'm an IT guy that gets paid 10$ an hour and I really don't give a shit anyway).

So while in an interesting sort of puzzle way this is neat, the actual protections it will afford you is probably very little.

Re:That's a nice technical solution you have there

[squiggleslash]

Just to make it clear, because a lot of posters here appear to be confused as to what this is for:

This isn't about securing individual passwords. This is about securing collections of passwords and doing something about situations where some website's master table of usernames and hashed passwords gets leaked, somehow.

Right now, when that happens, people with the password "123ABC" (or "password" or "secret" or whatever) are easily identifiable because you can look for the hashes of those texts amongst the passwords.

However, with this technology, you would need to already know a large number of existing username/password combinations before you could begin to look for users with easily guessed passwords.

How secure is it? Well, put it this way: if the system is rebooted, then it won't become available until a large enough body of users has tried to log in...

No? Maybe?

[OglinTatas]

Did you leave your oven on?

You bastard. Did you have to do that?

Re:This idea is really BS

[Hognoxious]

Get them to write their passwords on a post-it(tm) note and stick it to the server.

Do I have to do all the thinking around here?

Rediculous

[ThatAblaze]

So this system would work for a web-server where a bunch of people are logging in all the time. It passes test #1: It can be implemented.

However, the security that this system imparts would only help for the first few (N - 1, depending on how many blocks are required to overlap) passwords. Once you have those first few passwords this system provides zero benefit, since you can use the passwords you know as keys to crack any future ones. If users can make user accounts then all you need to do is make N - 1 user accounts and you have completely defeated this system.

So this system creates a HUGE new constraint on your user management system: No accounts can ever be issued to any parties outside of your home trusted zone. I suppose there might be one situation in which this solution might be useful: classified government work. In all other situations this solution is worthless.