Using an open-source password protection scheme dubbed PolyPasswordHasher, password information is never stored directly in a database; the information is used to encode a cryptographic "store" that cannot be validated unless a certain number of passwords are entered. In other words, an attacker would need to crack multiple passwords simultaneously in order to verify any single hash.
"PolyPasswordHasher divides secret information—in this case, password hashes—into shares, and just like a puzzle that is meaningless unless the pieces are assembled, no individual password can be validated unless a certain number of them are known and entered," explained Assistant Professor of Computer Science and Engineering Justin Cappos. "Even if the password file and all other information on disk were stolen, an attacker could not verify a single correct password without guessing a large number of them correctly."
Cappos estimated an attacker using a modern laptop could crack at least three six-character passwords in an hour if the computer was checking roughly a billion password hashes per second. With PolyPasswordHasher, the attacker would be required to compute these three passwords at the same time. The researchers estimate that in practice, all 900 million computers on Earth would need to work nonstop for longer than 13 billion years to compute the three passwords at the same time. According to the researchers' paper, the method is conceptually similar to encrypting the passwords with a key that is only recoverable when a threshold of passwords are known.