New Password Hashing Algorithm in the Works? SHA-3 Discussed

Passwords, after all, are our core security to our identities, personal information, email, bank accounts, etc. After all the countless breaches in the past few years, on databases and leaks, we need better standards on passwords or to use a different type of authentication.

One of the biggest vulnerabilities in computer security is the password. Let’s face it. Something’s got to give! What exactly will it take to authenticate somebody with their own personal information or data without being discovered or hacked?

We reported about companies like Google doing new implementations of password security. It’s time for new methods. Especially when problems such as Twitter being hacked a couple weeks ago, compromising some 250,000 accounts.

We reported on password security changes first back in July, where we talked with recent password studies, it shows that people that are much older in age tend to pick stronger passwords.

Now, hashing algorithms are used to secure passwords in to databases. The current standards are usually SHA-1 and MD5. But, with newer studies on SHA-3, replacing the current SHA algorithms, this should make for better database security for passwords, and prevent hacks in the future.

Now, this isn’t 100% foolproof, but at least it’ll help some and fix password security for a couple more years at least.

“Password hashing is important because it’s where we have a problem. NIST has given us some great standard hashing algorithms. The problem is that these hashes aren’t necessarily designed for the specific problem of password hashing — where you need something that’s fast enough to hash on a server at login time, but slow enough that a GPU can’t crack ten million of them,” Password Hashing Competition‘s Matthew Green said. “We have a few functions for this purpose, but we don’t have a consistent recommendation to give implementers. NIST says to use PBKDF2, which is probably the most vulnerable to GPU cracking. We just learned that Twitter uses bcrypt — a nice algorithm, but designed 11 years ago when FPGAs and GPUs weren’t as common as they are today. Others recommend scrypt because it was explicitly designed to deal with these threats. Unfortunately that claim hasn’t really been reviewed by cryptographers.”

The  National Institute of Standards and Technology (NIST) establishes the standards for cryptographic hash functions and other encryption standards. An update will be available soon on the new standards.

 

About these ads

Tags: , , , , , , ,

About Jay Pfoutz

Full time computer security consultant
Follow

Get every new post delivered to your Inbox.

Join 503 other followers

%d bloggers like this: