Prof. Justin Cappos Makes Cracking Individual Passwords Impossible
NYU WIRELESS Professor Justin Cappos and his research group have devised a new scheme called PolyPassHash for storing password hash data so that an attacker cannot individually crack passwords. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store, a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. This means that a password cannot be validated without recovering a threshold of shares, a method for distributing a secret amongst a group of participants, thus an attacker must crack groups of passwords together.
The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random six-character passwords that are stored using standard salted secure hashes, a cryptographic algorithm to convert data like a password into a fixed length string of characters called a fingerprint which can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to have existed.