DAHash: Distribution Aware Tuning of Password Hashing Costs

An attacker who breaks into an authentication server and steals all of the cryptographic password hashes is able to mount offline-brute force attack against each user’s password. Offline brute-force attacks passwords are increasingly commonplace danger amplified by well documented human tendency select low-entropy and/or reuse these across multiple accounts. Moderately hard hashing functions often deployed help protect offline increasing attacker’s guessing cost. However, there a limit how “hard” one can make hash function as servers resource constrained must avoid introducing substantial delay. Observing that wide gap in strength selected different users we introduce DAHash (Distribution Aware Password Hashing) novel mechanism which reduces number will crack. Our key insight resource-constrained dynamically tune hardness parameters based on (estimated) We Stackelberg game model interaction between defender (authentication server) attacker. allows optimize e.g., specify much effort spent weak/moderate/high passwords. use several large scale frequency datasets empirically evaluate effectiveness our differentiated cost mechanism. find uses reduce fraction would be cracked rational up $$15\%$$ .