Black Hat: Crackable algorithms prompt need for improved password hashing

Share this article:

Considering the growing list of companies that have disclosed password breaches – and even admitted to using outdated hashing schemes to protect victims' login credentials – security experts say now is the time to create an improved means of securing user data.

On Wednesday, Jean-Philippe Aumasson, principal cryptographer at Switzerland-based Kudelski Security, told attendees at the Black Hat conference in Las Vegas that fellow researchers will have to step up to the plate to brainstorm sure-fire hashing alternatives for widescale adoption.

“Our job is to make it as difficult as possible for them to [crack] the hashes for the passwords,” he said of attackers.

Aumasson told around 100 attendees at the briefing titled, “Password Hashing: The Future is Now,” that organizations all too frequently opt for inadequate password hashing methods like MD5, which was reportedly used by notetaking software service Evernote prior to its password breach in March.

In another example, LinkedIn faced criticism after its monster password breach for utilizing SHA-1, a hashing algorithm created by the National Security Agency in 1995, but considered to be outdated by security professionals.

In a response to the dilemma, Aumasson and a team of other security practitioners organized the Password Hashing Competition (PHC), which is taking submissions from experts who believe they can come up with viable hashing options. The deadline for submissions is Jan. 31, 2014.

“To solve this problem, we are doing something about it,” Aumasson said of the competition, which aims to introduce hashing methods that can become standardized, along with the few accepted alternatives that currently exist, which include PBKDF2, bcrypt and scrypt.

By the third quarter of 2014, PHC organizers expect to select finalists, who can then tweak or improve their ideas. The following year, at least one novel password hashing method will be selected as the winner of the contest.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.