Black Hat: Crackable algorithms prompt need for improved password hashing

Share this article:

Considering the growing list of companies that have disclosed password breaches – and even admitted to using outdated hashing schemes to protect victims' login credentials – security experts say now is the time to create an improved means of securing user data.

On Wednesday, Jean-Philippe Aumasson, principal cryptographer at Switzerland-based Kudelski Security, told attendees at the Black Hat conference in Las Vegas that fellow researchers will have to step up to the plate to brainstorm sure-fire hashing alternatives for widescale adoption.

“Our job is to make it as difficult as possible for them to [crack] the hashes for the passwords,” he said of attackers.

Aumasson told around 100 attendees at the briefing titled, “Password Hashing: The Future is Now,” that organizations all too frequently opt for inadequate password hashing methods like MD5, which was reportedly used by notetaking software service Evernote prior to its password breach in March.

In another example, LinkedIn faced criticism after its monster password breach for utilizing SHA-1, a hashing algorithm created by the National Security Agency in 1995, but considered to be outdated by security professionals.

In a response to the dilemma, Aumasson and a team of other security practitioners organized the Password Hashing Competition (PHC), which is taking submissions from experts who believe they can come up with viable hashing options. The deadline for submissions is Jan. 31, 2014.

“To solve this problem, we are doing something about it,” Aumasson said of the competition, which aims to introduce hashing methods that can become standardized, along with the few accepted alternatives that currently exist, which include PBKDF2, bcrypt and scrypt.

By the third quarter of 2014, PHC organizers expect to select finalists, who can then tweak or improve their ideas. The following year, at least one novel password hashing method will be selected as the winner of the contest.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.