Causes of the problem – offline password recovery attacks are always possible
Today’s best practice for storing user passwords is to use password hashing schemes in combination with unique salts. For instance, in SP800-63B, the Digital Identity Guidelines for Authentication and Lifecycle Management, the US National Institute of Standards and Technology (NIST) recommends to apply key derivation functions such as, password-based key derivation function 2 (PBKDF2), to passwords together with a salt of minimum length 32 bits.
Even though hashing and salting passwords is considered to be the best practice for password storage, they do not provide sufficient protection for passwords, because hackers can still recover passwords from the stolen database record. In particular, weak predictable passwords are cracked very efficiently using offline password recovery attacks, such as dictionary attacks or brute force attacks, using dedicated hardware .
Unfortunately, most users choose weak passwords. The recommendations of using upper, lower and special characters does not help much because of the human factor. One typical human behavior is that people pick a word that is related to their local culture, capitalize it and add digits at the end, and that makes the life of an attacker easy in cracking user passwords by using guessing attacks . By analyzing previous password database dumps, such as the LinkedIn breach, approximately 35% of that password dump were already known from previous hacked password databases and this allow hackers to learn a lot about common patterns on how people choose their passwords .
How about stronger passwords? Hackers have plenty of time at their disposal to crack them as well. According to IBM Ponemon study in 2017, American organizations take on average 191 days to detect and additional 66 days to contain a data breach. Statistically, it takes even longer in Europe, whereas the average dwell time for Asian companies is approximately 16 months.
The major problem with the current cryptographic approaches is that they do not stop data from being stolen in the first place. Rather it might delay the use of the stolen data for an uncertain period of time that depends on both the computational resources available to the attacker and weaknesses being found in algorithms, and published, by researchers. Regardless of which hash functions that have been used, passwords are being stolen from organizations databases in huge proportions which result in reputation costs and more .
One of the key problems is that personally identifiable information is stored using industry standard architecture which is vulnerable to various attacks. Encryption keys can usually be exploited inside code or maintained in files on servers and wherever they are stored, hackers and insiders can infiltrate those hidden places which put the whole organization at serious risk.
CIPHRA – making offline password recovery attacks impossible
CIPHRA is a PUF-based password storage solution that processes user passwords (or the salted password hashes) and then stores the output. The validity of a user password is checked by processing the user password (or its salted hash) by CIPHRA’s cryptographic processor and