Contest aims to boost state of password encryption

A group of cryptographers from academia and the tech industry are hoping to improve online password protection by holding an international competition to develop a new password hash algorithm that is more difficult for hackers to break.

Organizers of the Password Hashing Competition have set up a website for submissions, which are due by Jan. 31, 2014. The group has also posted technical guidelines and an explanation of how entries will be evaluated. No prizes are planned. The National Institute of Standards and Technology is a key body in the setting of standards for encryption and hash algorithms.

Hashing algorithms are used to turn plaintext passwords into a series of letters and numbers to foil hackers that break into databases supporting websites. Popular algorithmic standards used today include the NIST-controlled SHA, designed by the U.S. National Security Agency. SHA stands for Secure Hash Algorithm.

SHA, which stands for Secure Hash Algorithm, is a multipurpose standard that is not optimal for use in encrypting passwords on websites. The faster the technology hashes data, the faster hackers using brute-force techniques can recover the passwords.

[Also see: New cryptographic hash function not needed, Schneier says]

Brute-force technology leverages high-powered computers to try every possible combination the algorithm could have employed to disguise the password. The longer the decryption process takes, the less practical it becomes for hackers.

What contest organizers want is a standard that generates hashed passwords much slower, but not enough to keep site visitors waiting too long when they log in, said Jean-Philippe Aumasson, a cryptographer from Kudelski Security in Switzerland and one of the judges in the competition.

"From a secure standpoint, the slower the better," Aumasson said on Friday. "From a usability standpoint, the faster the better, so it's a tradeoff between usability and security."

NIST is monitoring the competition and has a member, Meltem Sonmez Turan, on the panel of judges. The standards body may cherry-pick from the winning technologies for possible inclusion in future standards, Aumasson said.

While technology such as SHA has been around for two decades, password hashing on the Web and in mobile devices is relatively new. As a result, standards focused only on those applications are needed, Aumasson said. International standards bodies, such as the International Organization for Standardization (ISO) and the Internet Engineering Task Force, have yet to get seriously involved.

In the meantime, poor choices in encryption technology have resulted in high-profile password compromises, such as at LinkedIn last year. Millions of hashed passwords were stolen, decrypted and then posted on a Russian hacker forum.

While hoping to get winning technologies for use on websites and mobile devices, competition organizers do not expected any of it to be used in standards immediately, Aumasson said. Rather, they are hoping that the competition and similar efforts over the next 10 years will raise awareness of the need for better password hashing.

Also, developers make bad choices today because there is not enough good technology available, he said. "That's what we're trying to fix."

Other members of the panel of judges include Matthew Green of John Hopkins University; Marsh Ray, Microsoft; Jens Steube, the Hashcat Project; and Peter Gutman, University of Auckland.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Identity & Access | Access ControlNetworkingU.S. National Security Agencyonline passwordsaccess controlSHAIdentity & AccessSecure Hash AlgorithmNational Institute of Standards and TechnologymanagementpasswordsecurityAccess control and authentication

More about Internet Engineering Task ForceISOJensMarshMicrosoftNational Security AgencySwitzerlandTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place