A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


What Microsoft would like from the Password Hashing Competition - Marsh Ray, Greg Zaverucha (Passwords Con 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

What Microsoft would like from the Password Hashing Competition - Marsh Ray, Greg Zaverucha

Abstract:Few organizations have been handling password based credentials longer than Microsoft. In addition to the diversity of legacy and current use cases, strong requirements to maintain backwards compatibility constrains the rate at which protocols and account databases can evolve. Some common protocols even became de facto industry-wide standards before being publicly described by Microsoft. So we are perhaps in a position to provide some unique perspectives on real world challenges facing password based credentials systems. Microsoft also operates one of the largest datacenter deployments in the industry. With increasing attention on datacenter power utilization and “green” datacenter technologies, any frequently called algorithm which mandates “burning” of CPU cycles should take the inherent tradeoff between security and energy costs into consideration. An internal survey of multiple product teams identified many use cases and types of password handling methods in both internal-use and shipping product code. This informed our requirements, which we lay out in this paper, in the hope that the PHC will result in a design which can be considered for inclusion in Microsoft platforms and the Microsoft Security Development Lifecycle (SDL).

Back to Passwords Con 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast