Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Researchers Make Weak Passwords Virtually Uncrackable (securityweek.com)

wiredmikey writes: A team of researchers at the New York University Polytechnic School of Engineering say they have found a way to help organizations better protect even the weakest of passwords and make them almost impossible to crack.

Using an open-source password protection scheme dubbed PolyPasswordHasher, password information is never stored directly in a database; the information is used to encode a cryptographic "store" that cannot be validated unless a certain number of passwords are entered. In other words, an attacker would need to crack multiple passwords simultaneously in order to verify any single hash.

"PolyPasswordHasher divides secret information—in this case, password hashes—into shares, and just like a puzzle that is meaningless unless the pieces are assembled, no individual password can be validated unless a certain number of them are known and entered," explained Assistant Professor of Computer Science and Engineering Justin Cappos. "Even if the password file and all other information on disk were stolen, an attacker could not verify a single correct password without guessing a large number of them correctly."

Cappos estimated an attacker using a modern laptop could crack at least three six-character passwords in an hour if the computer was checking roughly a billion password hashes per second. With PolyPasswordHasher, the attacker would be required to compute these three passwords at the same time. The researchers estimate that in practice, all 900 million computers on Earth would need to work nonstop for longer than 13 billion years to compute the three passwords at the same time. According to the researchers' paper, the method is conceptually similar to encrypting the passwords with a key that is only recoverable when a threshold of passwords are known.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Researchers Make Weak Passwords Virtually Uncrackable

Comments Filter:

Never say you know a man until you have divided an inheritance with him.