Academics and Training for the Advancement of Cybersecurity Knowledge in Puerto Rico (ATACK-PR)


Feb 19, 2015

Talk: PolyPasswordHasher: Gaining the Higher Ground Against Password Crackers

PolyPasswordHasher: Gaining the Higher Ground Against Password Crackers

Category: General
Posted by: admin


PolyPasswordHasher: Gaining the Higher Ground Against Password Crackers

By: Dr. Justin Cappos, NYU Poly

When: March 9, 2015 at 11:30 AM
Where:  Natural Sciences Fase II, Room  A-211

Password database disclosures are a frequent problem for many companies, which makes their users the target of identify theft.  Once a database is stolen the  passwords contained have proven easy for attackers to guess. An attacker with  the same hardware as the defender can try N password guesses in N times the time it takes the defender to verify a password.  This makes password cracking feasible when users do not choose sufficiently random (strong) passwords.

In this work, we demonstrate that, counter to expectations, it is possible to have a password verification scheme such that an attacker must perform substantially more operations, even if both the attacker and the defender have identical hardware, including the attacker having a copy of the password database. We demonstrate that this asymmetric effort is attainable in practice by implementing PolyPasswordHasher, which leverages well-known cryptographic primitives to produce password data that is interdependent, in that multiple passwords must be checked together. Using PolyPasswordHasher, the number of operations performed by an attacker scales asymmetrically with the effort the defender needs to check a password.

Justin Cappos is an assistant professor at NYU in the Polytechnic School of Engineering. Justin's research interests generally fall broadly in the area of systems security.   He focuses on understanding high-impact, large-scale problems by building and measuring deployed systems. Prof. Cappos did his dissertation work describing flaws in prior Linux package managers and building / deploying a new security model.  His work on software update system security was deployed by the major Linux package managers (e.g. apt, yum, and YaST) and thus protects most Linux servers.   Due to the practical impact of his research, Prof Cappos was named in 2013 as one of Popular Science's Brilliant 10 scientists under 40.