The Problem

Causes of the problem - offline password recovery attacks are always possible

Today’s best practice for storing user passwords is to use password hashing schemes in combination with unique salts. For instance, in SP800-63B, the Digital Identity Guidelines for Authentication and Lifecycle Management, the US National Institute of Standards and Technology (NIST) recommends to apply key derivation functions such as, password-based key derivation function 2 (PBKDF2), to passwords together with a salt of minimum length 32 bits.

Conventional password protection solutions, such as hashing and salting which are today’s best practice for password storage, do not provide sufficient protection against offline password recovery attacks. Hackers can still recover passwords from the stolen database records using, for instance, dictionary attacks. Under these conventional best practices for password storage, the only protection against offline password recovery attacks is the strength of user password itself. However, the majority of passwords chosen by users are not strong enough to withstand offline password recovery attacks.

Billions of cracked passwords are available on the dark web today. The global average time it takes to detect and contain a data breach is 257 days. When Marriot International lost 500 million customer records, they identified the attack in late 2018 and the public was informed afterwards, but the data breach took place more back in 2014, more than FOUR years ago. This means that the hackers had enough time to crack even stronger passwords as well. A similar example happened in the case of the LinkedIn breach in 2012. There are many other similar examples, involving big IT corporations.

Password attacks are constantly improving

Hackers are improving the efficiency of their password cracking attacks using dedicated hardware. Hardware is getting faster and cheaper every year, and password cracking attacks are getting more sophisticated and effective. Most password hashing algorithms focus on making it more time consuming and expensive to crack passwords, for example, by using memory hard functions, such as bcrypt, scrypt, argon2, etc.

However, this is only true for strong passwords. Weak passwords, which is the case for the majority of passwords, can be cracked in a matter of seconds or minutes. In addition, new hardware constructions make the cost of memory less of a problem for dedicated hackers. When we look at the history of hashing algorithms, most of them get replaced by new algorithms over time because of new exploits published by researchers and successful attacks by hackers.

Cracking PBKDF2 hashes example by lothiraldan

Cracking BCrypt hashes example by lothiraldan