Secure Password Storage: Increasing Resistance to Brute Force Attacks presented at OWASP BASC 2012

by Scott Matsumoto,

Tags: Security

Summary : In the event that your password table gets into the wild, how long will it take an attacker to expose the plaintext passwords? The recent set of well publicized disclosures of user passwords raised the question of whether current best practices adequately protect passwords from brute force attacks by many of our clients. In addition, with the advent of GPU-based (or FPGA) computing where GPUs are used for general purpose computing, are the current defenses and practices built for brute-force attacks sufficient? Cigital reviewed the current hardware innovations, analyzed the current methods for protecting passwords at rest and whether the methods sufficiently protected the passwords from being revealed using todays hardware.
This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.