Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJ9ii1GFrQDn9=Uh_z1MnAsvLiBn+17XJD1RHsM=oO1nj8UQhw@mail.gmail.com>
Date: Thu, 13 Dec 2012 15:27:25 -0500
From: Matt Weir <cweir@...edu>
To: crypt-dev@...ts.openwall.com
Subject: Re: Intentionally Increasing Collisions in Password
 Hashing Algorithms

Havoc,
    Thanks for the response. I have a few questions/comments.

> I think it is clear that increasing the number of collisions is only
> worth doing under the assumption that most users re-use their passwords
> on multiple websites and don't really change their passwords.
>
> We know that in practice the opposite is usually true.

So this statement made me pause a bit since it's my understanding a
significant number of users re-use their passwords. By significant I
mean enough that it's frequent enough to be worthwhile for an attacker
to exploit. If you could point me to some research/studies/examples
that's not the case I'd be very interested. For example two
studies/experiments testing password reuse I can point to are:

http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/
https://research.microsoft.com/pubs/74164/www2007.pdf

And there's all the empirical evidence I've seen such as how Twitter
accounts were compromised after the Gawker breach.

> The top 20 passwords were all used by more than 10,000 users.

Yup, just the password '123456' was used by over 290,000 users in the
RockYou list, which reinforces your point! I'll agree an attacker will
have a great degree of confidence if they crack the hash of someone
who chose one of the top 100, (or top 1000 in larger sets), passwords.
I don't think that will be that big of a deal when it comes to
defending against password reuse though based on the simple fact that
most high value sites have a password blacklist already in place. For
example Twitter, Facebook, most webmail clients, etc won't let you
choose '123456' for your password. Therefore the user in question
couldn't have reused their 'top 100' password for those sites so the
attacker doesn't gain much, (except knowing they can probably ignore
trying to reuse the credentials for that user). In addition, if a user
is selects one of the top 100 passwords at a different site that is
valuable to an attacker then they are already vulnerable to an online
attack anyways.

Where the attack you detailed would be really successful is if the
attacker knew multiple accounts belonged to the same user, (and thus
probably shared the same password).  It still wouldn't be 100% but it
would significantly reduce the protection offered by collisions. At
that level of targeted attacks though, (aka the attacker knows/cares
enough about the target to realize the two accounts belong to the same
person), collisions aren't going to slow them down much anyways. It'll
increase the cost to verify guesses but not enough to discourage a
determined attacker.

Once again though, that's a really good point and something that needs
to be considered!

Matt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.