Competition seeks better password hashes

Noted Swiss cryptographer Jean-Philippe Aumasson has opened a competition to help create better password hashing alternatives for widescale adoption.

The principal cryptographer at Switzerland-based Kudelski Security, who has designed cryptographic functions BLAKE, BLAKE2 and SipHash, told Black Hat attendees organisations were too frequently using inadequate password hashing methods like MD5.

“Our job is to make it as difficult as possible for [attackers] to [crack] the hashes for the passwords,” Aumasson said.

LinkedIn, one of scores of breached organisations to use weak password hashes, faced criticism after its monster password breach for utilising SHA-1, a hashing algorithm created by the National Security Agency in 1995, but considered to be outdated by security professionals.

In a response to the dilemma, Aumasson and a team of other security practitioners organised the Password Hashing Competition (PHC), which was taking submissions from experts for viable hashing options. The deadline for submissions was 31 January 2014.

“To solve this problem, we are doing something about it,” Aumasson said of the competition, which aimed to introduce hashing methods that can become standardised, along with the few accepted alternatives that currently exist, which include PBKDF2, bcrypt and scrypt.

By the third quarter of 2014, PHC organisers expected to select finalists, who can then tweak or improve their ideas.

The following year, at least one novel password hashing method will be selected as the winner of the contest.

This article originally appeared at scmagazineus.com