Cost-Asymmetric Memory Hard Password Hashing

TL;DR

This paper proposes a novel cost-asymmetric memory hard password hashing method that increases the difficulty for offline attackers, reducing the percentage of cracked passwords by up to 10%, and addresses limitations of traditional peppering with modern algorithms.

Contribution

It introduces Cost-Asymmetric Memory Hard Password Authentication, an alternative to peppering compatible with modern memory hard algorithms, and proves its effectiveness against rational offline attackers.

Findings

Reduces cracked passwords by up to 10% in empirical tests.

Provides a cost-asymmetry mechanism compatible with Argon2 and Scrypt.

Enhances password security against rational offline attackers.

Abstract

In the past decade, billions of user passwords have been exposed to the dangerous threat of offline password cracking attacks. An offline attacker who has stolen the cryptographic hash of a user's password can check as many password guesses as s/he likes limited only by the resources that s/he is willing to invest to crack the password. Pepper and key-stretching are two techniques that have been proposed to deter an offline attacker by increasing guessing costs. Pepper ensures that the cost of rejecting an incorrect password guess is higher than the (expected) cost of verifying a correct password guess. This is useful because most of the offline attacker's guesses will be incorrect. Unfortunately, as we observe the traditional peppering defense seems to be incompatible with modern memory hard key-stretching algorithms such as Argon2 or Scrypt. We introduce an alternative to pepper which we call Cost-Asymmetric Memory Hard Password Authentication which benefits from the same cost-asymmetry as the classical peppering defense i.e., the cost of rejecting an incorrect password guess is larger than the expected cost to authenticate a correct password guess. When configured properly we prove that our mechanism can only reduce the percentage of user passwords that are cracked by a rational offline attacker whose goal is to maximize (expected) profit i.e., the total value of cracked passwords minus the total guessing costs. We evaluate the effectiveness of our mechanism on empirical password datasets against a rational offline attacker. Our empirical analysis shows that our mechanism can reduce significantly the percentage of user passwords that are cracked by a rational attacker by up to 10%.