Black Hat: Crackable algorithms prompt need for improved password hashing

Share this article:

Considering the growing list of companies that have disclosed password breaches – and even admitted to using outdated hashing schemes to protect victims' login credentials – security experts say now is the time to create an improved means of securing user data.

On Wednesday, Jean-Philippe Aumasson, principal cryptographer at Switzerland-based Kudelski Security, told attendees at the Black Hat conference in Las Vegas that fellow researchers will have to step up to the plate to brainstorm sure-fire hashing alternatives for widescale adoption.

“Our job is to make it as difficult as possible for them to [crack] the hashes for the passwords,” he said of attackers.

Aumasson told around 100 attendees at the briefing titled, “Password Hashing: The Future is Now,” that organizations all too frequently opt for inadequate password hashing methods like MD5, which was reportedly used by notetaking software service Evernote prior to its password breach in March.

In another example, LinkedIn faced criticism after its monster password breach for utilizing SHA-1, a hashing algorithm created by the National Security Agency in 1995, but considered to be outdated by security professionals.

In a response to the dilemma, Aumasson and a team of other security practitioners organized the Password Hashing Competition (PHC), which is taking submissions from experts who believe they can come up with viable hashing options. The deadline for submissions is Jan. 31, 2014.

“To solve this problem, we are doing something about it,” Aumasson said of the competition, which aims to introduce hashing methods that can become standardized, along with the few accepted alternatives that currently exist, which include PBKDF2, bcrypt and scrypt.

By the third quarter of 2014, PHC organizers expect to select finalists, who can then tweak or improve their ideas. The following year, at least one novel password hashing method will be selected as the winner of the contest.

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.