Passwords are hashed everywhere: operating systems, smartphones, web services, disk encryption tools, SSH private keys, etc. Hashing passwords mitigates the impact of a compromised database by forcing attackers to bruteforce passwords. Bruteforce is easier when the hash function is not "salted", fast to evaluate, and easy to implement as multiple parallel instances on GPUs or multi-core systems. However existing solutions are not satisfactory, and the huge majority of systems rely on weak hashes (eg. leaks from Sony, LinkedIn, or more recently Evernote).
After a brief introduction of the problem and previous solution attempts, this talk presents a roadmap towards new improved hashing methods, as desired by a number of parties (from industry and standardization organizations).
First, we'll enumerate the technical challenges for software and security engineers as well as cryptographers and attackers, discussion questions like: why, counter-intuitively, parallelism is desirable? How can complexity theory benefit password hashing? How to define a metric that encompasses performance on GPUs and ASICs? Should hashing be performed by the client, server, or both? What about DoS induced by slow hashing? etc.
Then we'll describe the initiative that motivated this talk: the Password Hashing Competition (PHC), a project similar to the pure-cryptography competitions AES, eSTREAM, or SHA-3, but focused on the password hashing problem: the PHC gathers the leading experts from the password cracking scene as well as cryptographers and software engineers from academia, industry, as well as NIST, to develop the hashing methods of the future.