Abstract:Few organizations have been handling password based credentials longer than Microsoft. In addition to the diversity of legacy and current use cases, strong requirements to maintain backwards compatibility constrains the rate at which protocols and account databases can evolve. Some common protocols even became de facto industry-wide standards before being publicly described by Microsoft. So we are perhaps in a position to provide some unique perspectives on real world challenges facing password based credentials systems. Microsoft also operates one of the largest datacenter deployments in the industry. With increasing attention on datacenter power utilization and “green” datacenter technologies, any frequently called algorithm which mandates “burning” of CPU cycles should take the inherent tradeoff between security and energy costs into consideration. An internal survey of multiple product teams identified many use cases and types of password handling methods in both internal-use and shipping product code. This informed our requirements, which we lay out in this paper, in the hope that the PHC will result in a design which can be considered for inclusion in Microsoft platforms and the Microsoft Security Development Lifecycle (SDL).

Back to Passwords Con 2014 video list