Contest aims to boost state of password encryption

Passwords are the most widely used security mechanism on the Web, so beefing up hashing algorithms, utilized to protect them, is important

A group of cryptographers from academia and the tech industry are hoping to improve online password protection by holding an international competition to develop a new password hash algorithm that is more difficult for hackers to break.

Organizers of the Password Hashing Competition have set up a website for submissions, which are due by Jan. 31, 2014. The group has also posted technical guidelines and an explanation of how entries will be evaluated. No prizes are planned. The National Institute of Standards and Technology is a key body in the setting of standards for encryption and hash algorithms.

Hashing algorithms are used to turn plaintext passwords into a series of letters and numbers to foil hackers that break into databases supporting websites. Popular algorithmic standards used today include the NIST-controlled SHA, designed by the U.S. National Security Agency. SHA stands for Secure Hash Algorithm.

SHA, which stands for Secure Hash Algorithm, is a multipurpose standard that is not optimal for use in encrypting passwords on websites. The faster the technology hashes data, the faster hackers using brute-force techniques can recover the passwords.

[Also see: New cryptographic hash function not needed, Schneier says

Brute-force technology leverages high-powered computers to try every possible combination the algorithm could have employed to disguise the password. The longer the decryption process takes, the less practical it becomes for hackers.

What contest organizers want is a standard that generates hashed passwords much slower, but not enough to keep site visitors waiting too long when they log in, said Jean-Philippe Aumasson, a cryptographer from Kudelski Security in Switzerland and one of the judges in the competition.

"From a secure standpoint, the slower the better," Aumasson said on Friday. "From a usability standpoint, the faster the better, so it's a tradeoff between usability and security."

NIST is monitoring the competition and has a member, Meltem Sonmez Turan, on the panel of judges. The standards body may cherry-pick from the winning technologies for possible inclusion in future standards, Aumasson said.

While technology such as SHA has been around for two decades, password hashing on the Web and in mobile devices is relatively new. As a result, standards focused only on those applications are needed, Aumasson said. International standards bodies, such as the International Organization for Standardization (ISO) and the Internet Engineering Task Force, have yet to get seriously involved.

In the meantime, poor choices in encryption technology have resulted in high-profile password compromises, such as at LinkedIn last year. Millions of hashed passwords were stolen, decrypted and then posted on a Russian hacker forum.

While hoping to get winning technologies for use on websites and mobile devices, competition organizers do not expected any of it to be used in standards immediately, Aumasson said. Rather, they are hoping that the competition and similar efforts over the next 10 years will raise awareness of the need for better password hashing.

Also, developers make bad choices today because there is not enough good technology available, he said. "That's what we're trying to fix."

Other members of the panel of judges include Matthew Green of John Hopkins University; Marsh Ray, Microsoft; Jens Steube, the Hashcat Project; and Peter Gutman, University of Auckland.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?