Ball and Chain A New Paradigm in Stored Password Security
Date: September 2014
Publication: DerbyCon 4
Source 1: https://speakerdeck.com/zaeyx/ball-and-chain-a-new-paradigm-in-stored-password-security-benjamin-donnelly-and-tim-tomes
We have traditionally combatted password database breaches by applying strong hashing to user passwords in the hopes of slowing down an attacker's success at cracking them. But what if we slow down the process of obtaining the database instead? This talk introduces an approach where representations of passwords are stored in a huge (multi-terabyte) file alongside random data. Attackers must steal a copy of the entire file in order to capture the passwords needed to impersonate users. But the size of this file and the time needed to remotely copy it should either prevent attackers from successfully downloading it or give the site administrators much more time to detect the attempted data extraction and stop it.
PasswordResearch.com Note: Video of presentation available: http://www.youtube.com/watch?v=GfyM8lFkjo8 Project page: https://bitbucket.org/Zaeyx/openbac
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.