On the Economics of Offline Password Cracking

被引:42
作者
Blocki, Jeremiah [1 ]
Harsha, Ben [1 ]
Zhou, Samson [1 ]
机构
[1] Purdue Univ, W Lafayette, IN 47907 USA
来源
2018 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP) | 2018年
基金
美国国家科学基金会;
关键词
SECURITY;
D O I
10.1109/SP.2018.00009
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with 10(5) hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of 500 million cracked passwords is less than 100 times the total value of 5 million passwords). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. In particular, we find that because MHFs substantially increase guessing costs a rational attacker will give up well before he cracks most user passwords and this prediction holds even if the attacker does not encounter diminishing returns for additional cracked passwords. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.
引用
收藏
页码:853 / 871
页数:19
相关论文
共 84 条
  • [1] Users are not the enemy
    Adams, A
    Sasse, MA
    [J]. COMMUNICATIONS OF THE ACM, 1999, 42 (12) : 41 - 46
  • [2] Allodi L., ACM CCS, V17
  • [3] Alwen J., 2016, ADV CRYPTOLOGY CRYPT
  • [4] Alwen J., 2017, ADV CRYPTOLOGY EUROC
  • [5] Alwen J., 2016, COMPLEXITY SCRYPT PR
  • [6] Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions
    Alwen, Joel
    Blocki, Jeremiah
    Harsha, Ben
    [J]. CCS'17: PROCEEDINGS OF THE 2017 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2017, : 1001 - 1017
  • [7] Towards Practical Attacks on Argon2i and Balloon Hashing
    Alwen, Joel
    Blocki, Jeremiah
    [J]. 2017 IEEE EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY (EUROS&P), 2017, : 142 - 157
  • [8] Depth-Robust Graphs and Their Cumulative Memory Complexity
    Alwen, Joel
    Blocki, Jeremiah
    Pietrzak, Krzysztof
    [J]. ADVANCES IN CRYPTOLOGY - EUROCRYPT 2017, PT III, 2017, 10212 : 3 - 32
  • [9] [Anonymous], 2005, P 12 ACM C COMPUTER, DOI DOI 10.1145/1102120.1102168
  • [10] [Anonymous], 2015, Password hashing competition