Black Hat: Crackable algorithms prompt need for improved password hashing
Considering the growing list of companies that have disclosed password breaches – and even admitted to using outdated hashing schemes to protect victims' login credentials – security experts say now is the time to create an improved means of securing user data.
On Wednesday, Jean-Philippe Aumasson, principal cryptographer at Switzerland-based Kudelski Security, told attendees at the Black Hat conference in Las Vegas that fellow researchers will have to step up to the plate to brainstorm sure-fire hashing alternatives for widescale adoption.
“Our job is to make it as difficult as possible for them to [crack] the hashes for the passwords,” he said of attackers.
Aumasson told around 100 attendees at the briefing titled, “Password Hashing: The Future is Now,” that organizations all too frequently opt for inadequate password hashing methods like MD5, which was reportedly used by notetaking software service Evernote prior to its password breach in March.
In another example, LinkedIn faced criticism after its monster password breach for utilizing SHA-1, a hashing algorithm created by the National Security Agency in 1995, but considered to be outdated by security professionals.
In a response to the dilemma, Aumasson and a team of other security practitioners organized the Password Hashing Competition (PHC), which is taking submissions from experts who believe they can come up with viable hashing options. The deadline for submissions is Jan. 31, 2014.
“To solve this problem, we are doing something about it,” Aumasson said of the competition, which aims to introduce hashing methods that can become standardized, along with the few accepted alternatives that currently exist, which include PBKDF2, bcrypt and scrypt.
By the third quarter of 2014, PHC organizers expect to select finalists, who can then tweak or improve their ideas. The following year, at least one novel password hashing method will be selected as the winner of the contest.