Ball and Chain (A New Paradigm in Stored Password Security) presented at DerbyCon 2014

by Benjamin Donnelly, Tim “lanmaster53″ Tomes,

Summary : Weak security architectures have led us into a world of massive password breaches occurring at an alarming rate. Infrastructure and application authentication systems continue to rely on credentials stored in databases. While there are ways to mitigate risk to these systems, offline attacks against accessed credentials have remained possible… until today. Forget MD5. Forget SHA1. In fact, forget hashing altogether. We can do it better using the strategic advantages of the defensive perspective. The Ball and Chain password storage mechanism has the power to halt offline attacks on credentials for good. No more password breaches. No more fear of being the next Stratfor/Adobe/Yahoo/etc. No more CorrectHorseBatteryStaple. Let’s take back the internet. –