Abstract
In the past decade billions of user passwords have been exposed to the dangerous threat of offline password cracking attacks. An offline attacker who has stolen the cryptographic hash of a user’s password can check as many password guesses as s/he likes limited only by the resources that s/he is willing to invest to crack the password. Pepper and key-stretching are two techniques that have been proposed to deter an offline attacker by increasing guessing costs. Pepper ensures that the cost of rejecting an incorrect password guess is higher than the (expected) cost of verifying a correct password guess. This is useful because most of the offline attacker’s guesses will be incorrect. Unfortunately, as we observe the traditional peppering defense seems to be incompatible with modern memory hard key-stretching algorithms such as Argon2 or Scrypt. We introduce an alternative to pepper which we call Cost-Asymmetric Memory Hard Password Authentication which benefits from the same cost-asymmetry as the classical peppering defense i.e., the cost of rejecting an incorrect password guess is larger than the expected cost to authenticate a correct password guess. When configured properly we prove that our mechanism can only reduce the percentage of user passwords that are cracked by a rational offline attacker whose goal is to maximize (expected) profit i.e., the total value of cracked passwords minus the total guessing costs. We evaluate the effectiveness of our mechanism on empirical password datasets against a rational offline attacker. Our empirical analysis shows that our mechanism can significantly reduce the percentage of user passwords that are cracked by a rational attacker by up to \(10\%\).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The salt value protects against pre-computation attacks such as rainbow tables and ensures that the attacker must crack each individual password separately. For example, even if Alice and Bob select the same password \(pw_A=pw_B\) their password hashes will almost certainly be different i.e., \(h_A = H(pw_A, salt_A) \ne H(pw_B, salt_B) = h_B\) due to the different choice of values and collision resistance of the cryptographic hash function H.
- 2.
We use the concept and notation of subset and superset for ordered sequences the way they were defined for regular set. If all elements of sequence A are also elements of sequence B regardless the order, we say \(A \subseteq B\).
- 3.
The password datasets we analyze and experiment with are publicly available and widely used in literature research. We did not crack any new passwords. Thus, our usage of the datasets would not cause further harm to users.
References
Hashcat: advanced password recovery. https://hashcat.net/hashcat/
Password hashing competition. https://password-hashing.net/
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
Alwen, J., Blocki, J.: Efficiently computing data-independent memory-hard functions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 241–271. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_9
Alwen, J., Blocki, J., Harsha, B.: Practical graphs for optimal side-channel resistant memory-hard functions. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1001–1017. ACM Press, Dallas, TX, USA, 31 Oct–2 Nov 2017. https://doi.org/10.1145/3133956.3134031
Alwen, J., Blocki, J., Pietrzak, K.: Depth-robust graphs and their cumulative memory complexity. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 3–32. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_1
Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2
Ameri, M.H., Blocki, J., Zhou, S.: Computationally data-independent memory hard functions. In: Vidick, T. (ed.) ITCS 2020. vol. 151, pp. 36:1–36:28. LIPIcs, Seattle, WA, USA, 12–14 Jan 2020. https://doi.org/10.4230/LIPIcs.ITCS.2020.36
Bai, W., Blocki, J.: DAHash: distribution aware tuning of password hashing costs. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 382–405. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64331-0_20
Bai, W., Blocki, J., Ameri, M.H.: Cost-asymmetric memory hard password hashing (2022). https://arxiv.org/abs/2206.12970
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: Security and Privacy (EuroS &P), 2016 IEEE European Symposium on, pp. 292–302. IEEE (2016)
Blocki, J., Datta, A.: CASH: a cost asymmetric secure hash algorithm for optimal password protection. In: IEEE 29th Computer Security Foundations Symposium, pp. 371–386 (2016)
Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: 2018 IEEE Symposium on Security and Privacy. pp. 853–871. IEEE Computer Society Press, San Francisco, CA, USA, 21–23 May 2018. https://doi.org/10.1109/SP.2018.00009
Blocki, J., Komanduri, S., Procaccia, A., Sheffet, O.: Optimizing password composition policies. In: Proceedings of the Fourteenth ACM Conference on Electronic Commerce, pp. 105–122. ACM (2013)
Boneh, D., Corrigan-Gibbs, H., Schechter, S.: Balloon hashing: a memory-hard function providing provable protection against sequential attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 220–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_8
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552. IEEE Computer Society Press, San Francisco, CA, USA, 21–23 May 2012. https://doi.org/10.1109/SP.2012.49
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, pp. 553–567. IEEE Computer Society Press, San Francisco, CA, USA, 21–23 May 2012. https://doi.org/10.1109/SP.2012.44
Boyen, X.: Halting password puzzles: hard-to-break encryption from human-memorable keys. In: Provos, N. (ed.) USENIX Security 2007, pp. 6–10, Boston, MA, USA. Aug, USENIX Association (2007)
Campbell, J., Ma, W., Kleeman, D.: Impact of restrictive composition policy on user password choices. Behav. Inf. Technol. 30(3), 379–388 (2011)
Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: NDSS 2014. The Internet Society, San Diego, CA, USA, 23–26 Feb 2014
Castelluccia, C., Chaabane, A., Dürmuth, M., Perito, D.: When privacy meets security: leveraging personal information for password cracking. arXiv preprint arXiv:1304.6584 (2013)
Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: NDSS 2012. The Internet Society, San Diego, CA, USA, 5–8 Feb 2012
Designer, S.: John the ripper password cracker (2006)
Florêncio, D., Herley, C., Van Oorschot, P.C.: An administrator’s guide to Internet password research. In: Proceedings of the 28th USENIX Conference on Large Installation System Administration, pp. 35–52. LISA 2014 (2014)
Fossi, M., et al.: Symantec report on the underground economy (2008). Accessed 1 Aug 2013
Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. CHI 2010, ACM, New York, NY, USA (2010). https://doi.org/10.1145/1753326.1753384
Kaliski, B.: Pkcs# 5: password-based cryptography specification version 2.0 (2000)
Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy, pp. 523–537. IEEE Computer Society Press, San Francisco, CA, USA, 21–23 May 2012. https://doi.org/10.1109/SP.2012.38
Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: CHI, pp. 2595–2604 (2011). http://dl.acm.org/citation.cfm?id=1979321
Liu, E., Nakanishi, A., Golla, M., Cash, D., Ur, B.: Reasoning analytically about password-cracking software. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 380–397. IEEE (2019)
Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: 2014 IEEE Symposium on Security and Privacy, pp. 689–704. IEEE Computer Society Press, Berkeley, CA, USA, 18–21 May 2014. https://doi.org/10.1109/SP.2014.50
Manber, U.: A simple scheme to make passwords based on one-way functions much harder to crack. Comput. Secur. 15(2), 171–176 (1996)
Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 175–191. USENIX Association, Austin, TX, USA, 10–12 Aug 2016
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)
Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan 2009 (2009)
Provos, N., Mazieres, D.: Bcrypt algorithm. USENIX (1999)
Steves, M., Chisnell, D., Sasse, A., Krol, K., Theofanos, M., Wald, H.: Report: authentication diary study. Technical report NISTIR 7983, National Institute of Standards and Technology (NIST) (2014)
Stockley, M.: What your hacked account is worth on the dark web (2016). https://nakedsecurity.sophos.com/2016/08/09/what-your-hacked-account-is-worth-on-the-dark-web/
Ur, B., et al.: How does your password measure up? the effect of strength meters on password creation. In: Proceedings of USENIX Security Symposium (2012)
Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: Jung, J., Holz, T. (eds.) USENIX Security 2015, pp. 463–481. USENIX Association, Washington, DC, USA, 12–14 Aug 2015
Vaneev, A.: BITEOPT - derivative-free optimization method (2021). https://github.com/avaneev/biteopt. c++ source code, with description and examples
Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: NDSS 2014. The Internet Society, San Diego, CA, USA, 23–26 Feb 2014
Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: 2009 IEEE Symposium on Security and Privacy, pp. 391–405. IEEE Computer Society Press, Oakland, CA, USA, 17–20 May 2009. https://doi.org/10.1109/SP.2009.8
Acknowledgments
The research was supported in part by the National Science Foundation under awards CNS #2047272 and by IARPA under the HECTOR program. Mohammad Hassan Ameri was also supported in part by a Summer Research Grant from Purdue University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bai, W., Blocki, J., Ameri, M.H. (2022). Cost-Asymmetric Memory Hard Password Hashing. In: Galdi, C., Jarecki, S. (eds) Security and Cryptography for Networks. SCN 2022. Lecture Notes in Computer Science, vol 13409. Springer, Cham. https://doi.org/10.1007/978-3-031-14791-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-14791-3_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-14790-6
Online ISBN: 978-3-031-14791-3
eBook Packages: Computer ScienceComputer Science (R0)