Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Password hashing competition aims to beef up security

No prizes, only kudos for the winner

Article comments

Passwords are the most widely used security mechanism on the Web, so beefing up hashing algorithms, utilised to protect them, is important

Organisers of the Password Hashing Competition have set up a website for submissions, which are due by 31 January, 2014. The group has also posted technical guidelines and an explanation of how entries will be evaluated. No prizes are planned. The National Institute of Standards and Technology is a key body in the setting of standards for encryption and hash algorithms.

Hashing algorithms are used to turn plaintext passwords into a series of letters and numbers to foil hackers that break into databases supporting websites. Popular algorithmic standards used today include the NIST-controlled SHA, designed by the US National Security Agency. SHA stands for Secure Hash Algorithm.

SHA, which stands for Secure Hash Algorithm, is a multipurpose standard that is not optimal for use in encrypting passwords on websites. The faster the technology hashes data, the faster hackers using brute-force techniques can recover the passwords.

Brute-force technology leverages high-powered computers to try every possible combination the algorithm could have employed to disguise the password. The longer the decryption process takes, the less practical it becomes for hackers.

What contest organisers want is a standard that generates hashed passwords much slower, but not enough to keep site visitors waiting too long when they log in, said Jean-Philippe Aumasson, a cryptographer from Kudelski Security in Switzerland and one of the judges in the competition.

"From a secure standpoint, the slower the better," Aumasson said on Friday. "From a usability standpoint, the faster the better, so it's a tradeoff between usability and security."

NIST is monitoring the competition and has a member, Meltem Sonmez Turan, on the panel of judges. The standards body may cherry-pick from the winning technologies for possible inclusion in future standards, Aumasson said.

While technology such as SHA has been around for two decades, password hashing on the Web and in mobile devices is relatively new. As a result, standards focused only on those applications are needed, Aumasson said. International standards bodies, such as the International Organisation for Standardisation (ISO) and the Internet Engineering Task Force, have yet to get seriously involved.

In the meantime, poor choices in encryption technology have resulted in high-profile password compromises, such as at LinkedIn last year. Millions of hashed passwords were stolen, decrypted and then posted on a Russian hacker forum.

While hoping to get winning technologies for use on websites and mobile devices, competition organisers do not expected any of it to be used in standards immediately, Aumasson said. Rather, they are hoping that the competition and similar efforts over the next 10 years will raise awareness of the need for better password hashing.

Also, developers make bad choices today because there is not enough good technology available, he said. "That's what we're trying to fix."

Other members of the panel of judges include Matthew Green of John Hopkins University; Marsh Ray, Microsoft; Jens Steube, the Hashcat Project; and Peter Gutman, University of Auckland.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *