THE ADVANCED COMPUTING SYSTEMS ASSOCIATION
The following paper was originally published in the Proceedings of the FREENIX Track: 1999 USENIX Annual Technical Conference
Monterey, California, USA, June 6–11, 1999
A Future-Adaptable Password Scheme
Niels Provos and David Mazières The OpenBSD Project
© 1999 by The USENIX Association All Rights Reserved
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.
For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org
A Future-Adaptable Password Scheme
Niels Provos and David Mazi eres
fprovos,dmg@op enbsd.org
The OpenBSD Project
the face of increasingly p owerful attackers. Abstract
One widespread use of passwords, and a good ex-
Many authentication schemes dep end on secret
ample of failure to adapt, is the UNIX password
passwords. Unfortunately, the length and ran-
system. UNIX, a multi-user op erating system, re-
domness of user-chosen passwords remain xed
quires users to prove their identity b efore accessing
over time. In contrast, hardware improvements
system resources. A user typically b egins a session
constantly give attackers increasing computational
by providing her username and secret password to a
power. As a result, password schemes such as the
login program. This program then veri es the pass-
traditional UNIX user-authentication system are
word using a system-wide password le. Given the
failing with time.
imp ortance of keeping passwords secret, UNIX do es
not store plaintext passwords in this le. Instead,
This pap er discusses ways of building systems in
it keeps hashes of passwords, using a one-way func-
which password security keeps up with hardware
tion, crypt [9], that can only b e inverted by guessing
sp eeds. We formalize the prop erties desirable in a
preimages. Toverify a password, the login program
good password system, and show that the compu-
hashes the password and compares the result to the
tational cost of any secure password scheme must
appropriate hash in the password le.
increase as hardware improves. We presenttwo al-
gorithms with adaptable cost|eksblow sh, a blo ck
At the time of deployment in 1976, crypt could hash
cipher with a purp osefully exp ensivekey schedule,
fewer than 4 passwords p er second. Since the only
and bcrypt, a related hash function. Failing a ma-
known way of inverting crypt is to guess preim-
jor breakthrough in complexity theory, these al-
ages, the algorithm made passwords very dicult
gorithms should allow password-based systems to
to recover from their hashes|so much so, in fact,
adapt to hardware improvements and remain secure
that the designers of UNIX felt comfortable leaving
well into the future.
the password le readable by all users. Today,over
20 years later, a fast workstation with heavily opti-
mized software can p erform over 200,000 crypt op-
1 Intro duction
erations p er second. Attackers can now exp ediently
discover plaintext passwords by hashing entire dic-
tionaries of common passwords and comparing the
As micropro cessors grow faster, so do es the sp eed
results to entries in a password le. crypt nonethe-
of cryptographic software. Fast cryptography op ens
less still enjoys widespread use, and legacy software
many opp ortunities for making systems more se-
even forces many sites to keep their password les
cure. It renders encryption usable for a wide range
readable by all users.
of applications. It also p ermits larger values of tun-
able security parameters such as key length. In-
Todaywehave authentication schemes considerably
creasing security parameters makes cryptography
more sophisticated than the UNIX password le. In
exp onentially or at least sup erp olynomially more
practice, however, implementations of these schemes
dicult to break, dwar ng any b ene t faster hard-
still often dep end on users rememb ering secret pass-
ware may o er attackers. Unfortunately, one se-
words. There are alternatives, such as issuing sp e-
curity parameter|the length and entropyof user-
cial authentication hardware to users or giving them
chosen passwords|do es not scale at all with com-
printed lists of randomly generated access co des, but
puting p ower. While many systems require users to
these approaches generally inconvenience users or
cho ose secret passwords for authentication, few ac-
incur additional cost. Thus, passwords continue to
tually adapt their algorithms to preserve securityin
attacks has centered around communication over play an imp ortant role in the vast ma jority of user-
insecure networks. If cryptographic proto cols rely authentication systems.
on user-chosen passwords as keys, they may op en
themselves up to o -line guessing attacks. Gong This pap er discusses ways of building systems in
et. al. [7] suggest several proto col design tricks to which password security keeps up with hardware
thwart password guessing by network attackers. Un- sp eeds. We presenttwo algorithms with adaptable
fortunately, their most interesting prop osals require cost|eksblow sh, a blo ck cipher with a purp osefully
encryption algorithms with unusual and dicult to exp ensivekey schedule, and bcrypt, a related hash
achieve prop erties. function. Failing a ma jor breakthrough in complex-
ity theory, these algorithms should allow password-
Several p eople have designed secure password pro- based systems to adapt to hardware improvements
to cols that let users authenticate themselves over and remain secure 20 years into the future.
insecure networks without the need to remember or
certify public keys. Bellovin and Merritt [2, 3] rst The rest of the pap er is organized as follows. In
prop osed the idea, giving several concrete proto- Section 2, we discuss related work on password secu-
cols putatively resistant to o -line guessing attacks. rity. In Section 3, we explain the requirements for a
Patel [11] later cryptanalyzed those proto cols, but go o d password scheme. Section 4 presents eksblow-
p eople have since continued developing and re ning sh, a 64-bit blo ck cipher that lets users tune the
others in the same vein. More recent prop osals such cost of the key schedule. Section 5 intro duces the
as SRP [16] show promise of b eing secure. variable-cost bcrypt password hashing function and
describ es our implementation in the Op enBSD op-
Of course, even a secure password proto col requires erating system. Finally, Section 6 compares bcrypt
some server capable of validating users with correct to two widely-used password hashing functions.
passwords. An attacker who obtains that server's
secret state can mount an o -line guessing attack.
Because secure password proto cols require public
2 Related Work
key cryptography [8], they do have a tunable key
length parameter. However, this parameter pri-
Password guessing attacks can be categorized by
marily controls the diculty of mounting o -line
the amountofinteraction they require with an au-
attacks without a server's secret state; it only in-
thentication system. In on-line attacks, the p erp e-
directly a ects the cost of an o -line attack given
trator must make use of an authentication system
that state. Tuning key length to preserve password
to check each guess of a password. In o -line at-
guessing costs would have other unintended conse-
tacks, an attacker obtains information|such as a
quences, for instance increasing message sizes and
password hash|that allows him to check password
costing servers unnecessary computation. By com-
guesses on his own, with no further access to the
bining a scheme like SRP with the bcrypt algorithm
system. On-line attacks are generally considerably
presented in this pap er, however, one can vary the
slower than o -line ones. Systems can detect on-
cost of guessing passwords indep endently from most
line attacks fairly easily and defend against them by
other prop erties of the proto col.
slowing the rate of password checking. In contrast,
once an attacker has obtained password veri cation
Whatever progress o ccurs in preventing o -line at-
information, the only protection a system has from
tacks, one can never rule them out entirely. In fact,
o -line attacks is the computational cost of checking
the decision to have an op enly readable password
p otential passwords.
le was not an oversighton the part of the UNIX
system designers [9]. Rather, it was a reaction to
Techniques for mitigating the threat of o -line pass-
the dicultyofkeeping the password le secret in
word guessing generally aspire to one of two goals|
previous systems, and to the realization that a sup-
limiting a system's susceptibility to o -line attacks
p osedly secret password le would need to resist
or increasing their computational cost. As a simple
o -line guessing anyway. This realization remains
example of the former, many mo dern UNIX systems
equally true to day. Aside from the obvious issues
now keep password hashes secret from users, stor-
of backup tap e security, attackers who compromise
ing them in a read-protected shadow password le
UNIX machines routinely make o with the list of
rather than in the standard op enly readable one.
hashed passwords, whether shadowed or not.
Much of the work on preventing o -line password
than schemes more closely tied to passwords. For A p o or hashing algorithm not only complicates re-
example, without mo difying the core proto cols, ssh covery from break-ins, it also endangers other ma-
could easily employ the eksblow sh algorithm pro- chines. People often cho ose the same password on
p osed in this pap er to improve the security of stored multiple machines. Many sites intentionally main-
secret keys. tain identical password les on all machines for ad-
ministrative convenience. While shadow password
les certainly do not hurt security, the big aw in
UNIX password security is not its op enly readable
3 Design criteria for password
password le. Rather, it is the choice of a hash
schemes
function that cannot adapt to a 50,000 fold increase
in the sp eed of hardware and software. This pap er
Any algorithm that takes a user-chosen password as
presents schemes that can adapt to such improve-
input should be hardened against password guess-
ments in eciency.
ing. That means any public or long-lived output
should b e of minimal use in reconstructing the pass-
Others have already prop osed numerous schemes
word. Several design criteria can help achieve this
to increase the cost of guessing passwords. The
goal.
FreeBSD op erating system, for instance, intro duced
a replacement for crypt based on the MD5 [13] mes-
Ideally, one would like any password handling al-
sage digest algorithm. MD5 crypt takes consider-
gorithm to be a strong one-way function of the
ably longer to compute than the original crypt. Yet,
password|that is, given the algorithm's output and
it still has a xed cost and thus cannot not adapt
other inputs, an attacker should have little chance
to faster hardware. As time passes, MD5 crypt of-
of learning even partial information she could not
fers steadily decreasing protection against o -line
already have guessed ab out the password. Unfortu-
guessing attacks. Signi cant optimizations have al-
nately, one-way functions are de ned asymptotically
ready b een found to sp eed up the calculation of
with resp ect to their input lengths|an attacker has
MD5 crypt.
negligible probability of inverting a one-way func-
tion on suciently large inputs, but exactly how
Abadi et. al. [1] prop ose strengthening user-chosen
large dep ends on the attacker. Because there is a
passwords by app ending random bits to them. At
xed limit to the size of passwords users will tol-
authentication time, software uses the known part
erate, we need a di erent criterion for functions on
of the password and a hash of the full password to
passwords.
guess the random bits. As hardware gets faster,
one can easily tune this technique by increasing
Informally,wewould like a password scheme to b e
the number of random bits. Unfortunately, pass-
\as go o d as the passwords users cho ose." Given a
word strengthening inherently gives unauthenti-
probability distribution D on passwords, we de ne
cated users the ability to mount o -line guessing
the predictability R D of the distribution to b e the
attacks. Thus, it cannot be combined with tech-
highest probability Prs of any single password s
niques like SRP that attempt to limit the p ossibility
in D : R D = max Prs. A function of a pass-
s2D
of o -line attacks in the rst place.
word is secure if an attacker's probability of learning
any partial information ab out the password is pro-
Finally, many systems rely less directly on password
p ortional to the pro duct of the work she invests and
security for authentication. The p opular ssh [17]
the predictability of the password distribution.
remote login program, for example, allows users to
authenticate themselves using RSA encryption. Ssh
What do es it mean for an attacker to learn partial
servers must have a user's RSA public key, but they
information ab out a password? We de ne partial in-
need not store any information with which to ver-
formation to b e the value of any single-bit predicate
ify user-chosen passwords. The catch is, of course,
on a password. Interesting predicates on passwords
that users must store their private keys somewhere,
might include the rst bit of a password, or the par-
and this usually means on disk, encrypted with a
ity of bits in a password. An attacker can always
password. Worse yet, ssh uses simple 3-DES to
guess certain predicates with high probability|for
encrypt private keys, making the cost of guessing
instance, the trivial predicate P s = 1 which re-
ssh passwords comparable to the cost of computing
turns 1 on all passwords. If a function of a password
crypt. Nonetheless, b ecause of its exibility, ssh's
is secure, however, its output should not let an at-
RSA authentication is a generally b etter approach
tacker guess any predicate more accurately than she bits:
could have without the function's output.
8D; 8A;
0
More formally, let F s; t b e a function. The argu-
Pr t T; s D; s As; t;
ment s represents a user's secret password, which
0 0
s 6= s ^ F s; t=F s ;t
will be drawn from a probability distribution D .
<jAjR D
The argument t represents any additional non-secret
inputs F might take. Let the values of t b e drawn
from a probability distribution T . We mo del an at-
We should rst note that this de nition matches
1
tacker as a randomized b o olean circuit , A, that
our intuition ab out a password hashing function like
tries to guess a predicate P ab out a password.
crypt. If users cho ose predictable enough passwords,
The cost of an attack|or the work invested by
knowing a password hash gives adversaries a large
an attacker|is the number of gates in the cir-
advantage|they can compare hashes of the most
cuit, which we denote jAj. We use the notation
p opular passwords to that of the password they are
Pr[v S ;v S ; ::: ; B ] to denote the proba-
1 1 2 2
trying to break. If, additionally, one can guess a
bility of statement B after an exp eriment in which
useful predicate without even lo oking at a password
variables v ;v ;::: are drawn from probability dis-
1 2
hash|for instance by knowing that the third char-
tributions S ;S ;:::, resp ectively. Nowwe can de-
1 2
acter of most passwords is a lower-case letter|then
ne what it means for a password function to resist
clearly an adversary can guess this to o.
attack. Wesay that function F s; tisan-secure
password function if the following hold:
If, however, no single password o ccurs with partic-
ularly high probability, an adversary should need
to exp end a large amount of e ort as measured
1. Finding partial information ab out F 's secret in-
in circuit gates to discover any non-trivial infor-
put is as hard as guessing passwords. Put an-
mation ab out a password. Finally,we also wish to
other way, for any password distribution D and
prevent an attacker from nding other strings that
predicate P , an attacker A who guesses P based
hash to the same value as a password; such strings
on output from F will do almost as well when
may prove equivalent to passwords during authen-
F is computed on unrelated passwords:
tication. The requirement of second preimage re-
sistance guarantees such collisions are hard to nd,
8D; 8P; 8A;
even with knowledge of the original password. It
Pr t T; ::: ; t T; s D;
1 c
also ensures that F do es not ignore any bits of its
b At ;Fs; t ;::: ;t ;Fs; t ;
1 1 c c
password input.
b = P s
The de nition implies that a secure password func-