Communications of the ACM
New Protection Scheme Makes Weak Passwords Virtually Uncrackable
A new open source password protection scheme could help organizations better protect passwords.
Credit: IT Learning Technology
New York University Polytechnic (NYU-Poly) researchers have developed PolyPasswordHasher, an open source password protection scheme that could help organizations better protect passwords.
Most passwords are stored in databases using a salted hash, a one-way encryption technique that offers protection in the event a database is hacked. However, if hackers can get privileged access to a running system, they can intercept an administrator's password information before that protection is in place.
PolyPasswordHasher never stores password information directly in the database. Instead, the information is used to encode a cryptographic "store" that cannot be validated unless a certain number of passwords are entered.
"PolyPasswordHasher divides secret information--in this case, password hashes--into shares, and just like a puzzle that is meaningless unless the pieces are assembled, no individual password can be validated unless a certain number of them are known and entered," says NYU-Poly professor Justin Cappos.
In the event an attacker was able to enter the system, all remaining password data would remain under the same protections offered by conventional salted hashing schemes. "Even if the password file and all other data on disk is obtained by a malicious party, the attacker cannot crack any individual password without simultaneously guessing a large number of them correctly," Cappos says.
From Security Week
View Full Article
Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA
No entries found