A team of researchers at the New York University Polytechnic School of Engineering say they have found a way to help organizations better protect passwords.
Using an open-source password protection scheme they dubbed PolyPasswordHasher, the researchers believe they can make it much more difficult for hackers to decode even the shortest individual passwords. The PolyPasswordHasher is currently being tested as part of the Password Hashing Competition, a global effort organized by security professionals to identify new password protection schemes.
According to the researchers, most passwords are stored in databases using a salted hash, a one-way encryption technique that offers protection in the event a database is hacked. However in cases where attackers gain privileged access to a running system, they can intercept an administrator’s password information before that protection is in place.
With PolyPasswordHasher, password information is never stored directly in a database; the information is used to encode a cryptographic “store” that cannot be validated unless a certain number of passwords are entered. In other words, an attacker would need to crack multiple passwords simultaneously in order to verify any single hash.