Subject: Re: passwd hashing algorithm
To: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
From: Achyutram Bhamidipaty <ram@cs.arizona.edu>
List: current-users
Date: 04/16/1995 10:38:06
der Mouse writes:
 > 
 > Of course, very little of this actually makes any difference.  The real
 > problem is that machines are getting fast, fast enough that you don't
 > have to precompute dictionaries.  Which defeats salting, too ...
 > 
 > Dictionary attacks will continue to succeed, because people will
 > stubbornly pick bad passwords. ...
 > 

A prof at my dept has written a nice tech report that addresses
exactly this issue. A secret salt s is added to each password. s is
chosen from some number of secret salts S. s is not stored anywhere.
When a user tries to login every possible value of S must be checked
until the correct one is found.  The idea is to limit the size of S to
be about the number of encryptions that can be done in half a second
or so (the report says that S will be from 100 to 1000). This approach
has two useful features. First it increases the dictionary size by a
factor of S. Second it slows down the time to compare an entire
dictionary against a single password by a factor of S.

The tech report is available via WWW at

	<ftp://ftp.cs.arizona.edu/reports/1994/TR94-34.ps>

and via anonymous ftp from ftp.cs.arizona.edu in /reports/1994/TR94-34.ps

-Ram
ram@cs.arizona.edu