How To Screw Up Password Hashing: Secrets of a Password Cracker Author
Authors: Russell Edward Graves [Bitweasil]

Date: July 2013
Publication: Passwords13 Las Vegas
Source: Currently no known Internet copy of paper.

Abstract or Summary:
Password storage is one of the major weaknesses of the last five years. Databases are dumped on a regular basis, and due to poor password storage algorithms, attackers have an incredibly easy time extracting the actual passwords from these dumps.

This talk dives into the techniques used by the open source Cryptohaze password cracking framework to dramatically reduce the work the attacker has to do to recover plains, even with salted algorithms. It discusses the most commonly-seen algorithms for password storage, and how the attacks against these are heavily optimized -- in some cases, only half the work the defender must do!

Proper password storage concepts are then discussed -- not from the perspective of "You should do this because it's better," but from the perspective of the hardware attackers use and how to neutralize their advantage and make their cost per password exceed the defenders cost. Note: Video of presentation:

Do you have additional information to contribute regarding this research paper? If so, please email with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019