Summary: Password leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords chosen from a Zipf's law distribution and that Zipf's Law accurately models the distribution of most user passwords. This dismal claim holds even if PBKDF2 is used with 100,000 hash iterations (10 times greater than NIST's minimum recommendation). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2. About the speaker: Ben Harsha is a Computer Science Ph.D. student advised by Jeremiah Blocki. He currently works on password security and cryptographic hash functions. Before coming to Purdue in 2015 he also worked on distributed sensor networks at Argonne National Lab, as well as neural network optimization and computer science education methods at DePauw University. He has received a Masters from Purdue and a Bachelors from DePauw University.
