What Microsoft Would Like from the Password Hashing Competition
Date: August 2014
Publication: Passwords14 Las Vegas
Source: Currently no known Internet copy of paper.
Few organizations have been handling password based credentials longer than Microsoft. In addition to the diversity of legacy and current use cases, strong requirements to maintain backwards compatibility constrains the rate at which protocols and account databases can evolve. Some common protocols even became de facto industry-wide standards before being publicly described by Microsoft. So we are perhaps in a position to provide some unique perspectives on real world challenges facing password based credentials systems. Microsoft also operates one of the largest datacenter deployments in the industry. With increasing attention on datacenter power utilization and “green” datacenter technologies, any frequently called algorithm which mandates “burning” of CPU cycles should take the inherent tradeoff between security and energy costs into consideration. An internal survey of multiple product teams identified many use cases and types of password handling methods in both internal-use and shipping product code. This informed our requirements, which we lay out in this paper, in the hope that the PHC will result in a design which can be considered for inclusion in Microsoft platforms and the Microsoft Security Development Lifecycle (SDL).
PasswordResearch.com Note: Video of presentation available: https://www.youtube.com/watch?v=Kr6ruthF_4k
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.