Black Hat: Crackable algorithms prompt need for improved password hashing

Share this article:

Considering the growing list of companies that have disclosed password breaches – and even admitted to using outdated hashing schemes to protect victims' login credentials – security experts say now is the time to create an improved means of securing user data.

On Wednesday, Jean-Philippe Aumasson, principal cryptographer at Switzerland-based Kudelski Security, told attendees at the Black Hat conference in Las Vegas that fellow researchers will have to step up to the plate to brainstorm sure-fire hashing alternatives for widescale adoption.

“Our job is to make it as difficult as possible for them to [crack] the hashes for the passwords,” he said of attackers.

Aumasson told around 100 attendees at the briefing titled, “Password Hashing: The Future is Now,” that organizations all too frequently opt for inadequate password hashing methods like MD5, which was reportedly used by notetaking software service Evernote prior to its password breach in March.

In another example, LinkedIn faced criticism after its monster password breach for utilizing SHA-1, a hashing algorithm created by the National Security Agency in 1995, but considered to be outdated by security professionals.

In a response to the dilemma, Aumasson and a team of other security practitioners organized the Password Hashing Competition (PHC), which is taking submissions from experts who believe they can come up with viable hashing options. The deadline for submissions is Jan. 31, 2014.

“To solve this problem, we are doing something about it,” Aumasson said of the competition, which aims to introduce hashing methods that can become standardized, along with the few accepted alternatives that currently exist, which include PBKDF2, bcrypt and scrypt.

By the third quarter of 2014, PHC organizers expect to select finalists, who can then tweak or improve their ideas. The following year, at least one novel password hashing method will be selected as the winner of the contest.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.