Date: Thu, 13 Dec 2012 15:27:25 -0500 From: Matt Weir <cweir@...edu> To: crypt-dev@...ts.openwall.com Subject: Re: Intentionally Increasing Collisions in Password Hashing Algorithms Havoc, Thanks for the response. I have a few questions/comments. > I think it is clear that increasing the number of collisions is only > worth doing under the assumption that most users re-use their passwords > on multiple websites and don't really change their passwords. > > We know that in practice the opposite is usually true. So this statement made me pause a bit since it's my understanding a significant number of users re-use their passwords. By significant I mean enough that it's frequent enough to be worthwhile for an attacker to exploit. If you could point me to some research/studies/examples that's not the case I'd be very interested. For example two studies/experiments testing password reuse I can point to are: http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/ https://research.microsoft.com/pubs/74164/www2007.pdf And there's all the empirical evidence I've seen such as how Twitter accounts were compromised after the Gawker breach. > The top 20 passwords were all used by more than 10,000 users. Yup, just the password '123456' was used by over 290,000 users in the RockYou list, which reinforces your point! I'll agree an attacker will have a great degree of confidence if they crack the hash of someone who chose one of the top 100, (or top 1000 in larger sets), passwords. I don't think that will be that big of a deal when it comes to defending against password reuse though based on the simple fact that most high value sites have a password blacklist already in place. For example Twitter, Facebook, most webmail clients, etc won't let you choose '123456' for your password. Therefore the user in question couldn't have reused their 'top 100' password for those sites so the attacker doesn't gain much, (except knowing they can probably ignore trying to reuse the credentials for that user). In addition, if a user is selects one of the top 100 passwords at a different site that is valuable to an attacker then they are already vulnerable to an online attack anyways. Where the attack you detailed would be really successful is if the attacker knew multiple accounts belonged to the same user, (and thus probably shared the same password). It still wouldn't be 100% but it would significantly reduce the protection offered by collisions. At that level of targeted attacks though, (aka the attacker knows/cares enough about the target to realize the two accounts belong to the same person), collisions aren't going to slow them down much anyways. It'll increase the cost to verify guesses but not enough to discourage a determined attacker. Once again though, that's a really good point and something that needs to be considered! Matt
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.