A Future-Adaptable Password Scheme

Home , Bcrypt, Crypt (C), Crypt (Unix), John the Ripper, Password cracking, Salt (cryptography)

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION

The following paper was originally published in the Proceedings of the FREENIX Track: 1999 USENIX Annual Technical Conference

Monterey, California, USA, June 6–11, 1999

Niels Provos and David Mazières The OpenBSD Project

Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.

For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org

A Future-Adaptable Password Scheme

Niels Provos and David Mazi eres

fprovos,dmg@op enbsd.org

The OpenBSD Project

the face of increasingly p owerful attackers. Abstract

One widespread use of passwords, and a good ex-

Many authentication schemes dep end on secret

ample of failure to adapt, is the UNIX password

passwords. Unfortunately, the length and ran-

system. UNIX, a multi-user op erating system, re-

domness of user-chosen passwords remain xed

quires users to prove their identity b efore accessing

over time. In contrast, hardware improvements

system resources. A user typically b egins a session

constantly give attackers increasing computational

by providing her username and secret password to a

power. As a result, password schemes such as the

traditional UNIX user-authentication system are

word using a system-wide password le. Given the

failing with time.

imp ortance of keeping passwords secret, UNIX do es

not store plaintext passwords in this le. Instead,

This pap er discusses ways of building systems in

it keeps hashes of passwords, using a one-way func-

which password security keeps up with hardware

tion, crypt [9], that can only b e inverted by guessing

sp eeds. We formalize the prop erties desirable in a

preimages. Toverify a password, the login program

good password system, and show that the compu-

hashes the password and compares the result to the

tational cost of any secure password scheme must

appropriate hash in the password le.

increase as hardware improves. We presenttwo al-

gorithms with adaptable cost|eksblow sh, a blo ck

At the time of deployment in 1976, crypt could hash

cipher with a purp osefully exp ensivekey schedule,

fewer than 4 passwords p er second. Since the only

and bcrypt, a related hash function. Failing a ma-

known way of inverting crypt is to guess preim-

jor breakthrough in complexity theory, these al-

ages, the algorithm made passwords very dicult

gorithms should allow password-based systems to

to recover from their hashes|so much so, in fact,

adapt to hardware improvements and remain secure

that the designers of UNIX felt comfortable leaving

well into the future.

the password le readable by all users. Today,over

20 years later, a fast workstation with heavily opti-

mized software can p erform over 200,000 crypt op-

1 Intro duction

erations p er second. Attackers can now exp ediently

discover plaintext passwords by hashing entire dic-

tionaries of common passwords and comparing the

As micropro cessors grow faster, so do es the sp eed

results to entries in a password le. crypt nonethe-

of cryptographic software. Fast cryptography op ens

less still enjoys widespread use, and legacy software

many opp ortunities for making systems more se-

even forces many sites to keep their password les

cure. It renders encryption usable for a wide range

readable by all users.

of applications. It also p ermits larger values of tun-

able security parameters such as key length. In-

Todaywehave authentication schemes considerably

creasing security parameters makes cryptography

more sophisticated than the UNIX password le. In

exp onentially or at least sup erp olynomially more

practice, however, implementations of these schemes

dicult to break, dwar ng any b ene t faster hard-

still often dep end on users rememb ering secret pass-

ware may o er attackers. Unfortunately, one se-

words. There are alternatives, such as issuing sp e-

curity parameter|the length and entropyof user-

cial authentication hardware to users or giving them

chosen passwords|do es not scale at all with com-

printed lists of randomly generated access co des, but

puting p ower. While many systems require users to

these approaches generally inconvenience users or

cho ose secret passwords for authentication, few ac-

incur additional cost. Thus, passwords continue to

tually adapt their algorithms to preserve securityin

attacks has centered around communication over play an imp ortant role in the vast ma jority of user-

insecure networks. If cryptographic proto cols rely authentication systems.

on user-chosen passwords as keys, they may op en

themselves up to o -line guessing attacks. Gong This pap er discusses ways of building systems in

et. al. [7] suggest several proto col design tricks to which password security keeps up with hardware

thwart password guessing by network attackers. Un- sp eeds. We presenttwo algorithms with adaptable

fortunately, their most interesting prop osals require cost|eksblow sh, a blo ck cipher with a purp osefully

encryption algorithms with unusual and dicult to exp ensivekey schedule, and bcrypt, a related hash

achieve prop erties. function. Failing a ma jor breakthrough in complex-

ity theory, these algorithms should allow password-

Several p eople have designed secure password pro- based systems to adapt to hardware improvements

to cols that let users authenticate themselves over and remain secure 20 years into the future.

insecure networks without the need to remember or

certify public keys. Bellovin and Merritt [2, 3] rst The rest of the pap er is organized as follows. In

prop osed the idea, giving several concrete proto- Section 2, we discuss related work on password secu-

cols putatively resistant to o -line guessing attacks. rity. In Section 3, we explain the requirements for a

Patel [11] later cryptanalyzed those proto cols, but go o d password scheme. Section 4 presents eksblow-

p eople have since continued developing and re ning sh, a 64-bit blo ck cipher that lets users tune the

others in the same vein. More recent prop osals such cost of the key schedule. Section 5 intro duces the

as SRP [16] show promise of b eing secure. variable-cost bcrypt password hashing function and

describ es our implementation in the Op enBSD op-

Of course, even a secure password proto col requires erating system. Finally, Section 6 compares bcrypt

some server capable of validating users with correct to two widely-used password hashing functions.

passwords. An attacker who obtains that server's

secret state can mount an o -line guessing attack.

Because secure password proto cols require public

2 Related Work

key cryptography [8], they do have a tunable key

length parameter. However, this parameter pri-

Password guessing attacks can be categorized by

marily controls the diculty of mounting o -line

the amountofinteraction they require with an au-

attacks without a server's secret state; it only in-

thentication system. In on-line attacks, the p erp e-

directly a ects the cost of an o -line attack given

trator must make use of an authentication system

that state. Tuning key length to preserve password

to check each guess of a password. In o -line at-

guessing costs would have other unintended conse-

tacks, an attacker obtains information|such as a

quences, for instance increasing message sizes and

password hash|that allows him to check password

costing servers unnecessary computation. By com-

guesses on his own, with no further access to the

bining a scheme like SRP with the bcrypt algorithm

system. On-line attacks are generally considerably

presented in this pap er, however, one can vary the

slower than o -line ones. Systems can detect on-

cost of guessing passwords indep endently from most

line attacks fairly easily and defend against them by

other prop erties of the proto col.

slowing the rate of password checking. In contrast,

once an attacker has obtained password veri cation

Whatever progress o ccurs in preventing o -line at-

information, the only protection a system has from

tacks, one can never rule them out entirely. In fact,

o -line attacks is the computational cost of checking

the decision to have an op enly readable password

p otential passwords.

le was not an oversighton the part of the UNIX

system designers [9]. Rather, it was a reaction to

Techniques for mitigating the threat of o -line pass-

the dicultyofkeeping the password le secret in

word guessing generally aspire to one of two goals|

previous systems, and to the realization that a sup-

limiting a system's susceptibility to o -line attacks

p osedly secret password le would need to resist

or increasing their computational cost. As a simple

o -line guessing anyway. This realization remains

example of the former, many mo dern UNIX systems

equally true to day. Aside from the obvious issues

now keep password hashes secret from users, stor-

of backup tap e security, attackers who compromise

ing them in a read-protected shadow password le

UNIX machines routinely make o with the list of

rather than in the standard op enly readable one.

hashed passwords, whether shadowed or not.

Much of the work on preventing o -line password

than schemes more closely tied to passwords. For A p o or hashing algorithm not only complicates re-

example, without mo difying the core proto cols, ssh covery from break-ins, it also endangers other ma-

could easily employ the eksblow sh algorithm pro- chines. People often cho ose the same password on

p osed in this pap er to improve the security of stored multiple machines. Many sites intentionally main-

secret keys. tain identical password les on all machines for ad-

ministrative convenience. While shadow password

les certainly do not hurt security, the big aw in

UNIX password security is not its op enly readable

3 Design criteria for password

password le. Rather, it is the choice of a hash

schemes

function that cannot adapt to a 50,000 fold increase

in the sp eed of hardware and software. This pap er

Any algorithm that takes a user-chosen password as

presents schemes that can adapt to such improve-

input should be hardened against password guess-

ments in eciency.

ing. That means any public or long-lived output

should b e of minimal use in reconstructing the pass-

Others have already prop osed numerous schemes

word. Several design criteria can help achieve this

to increase the cost of guessing passwords. The

goal.

FreeBSD op erating system, for instance, intro duced

a replacement for crypt based on the MD5 [13] mes-

Ideally, one would like any password handling al-

sage digest algorithm. MD5 crypt takes consider-

gorithm to be a strong one-way function of the

ably longer to compute than the original crypt. Yet,

password|that is, given the algorithm's output and

it still has a xed cost and thus cannot not adapt

other inputs, an attacker should have little chance

to faster hardware. As time passes, MD5 crypt of-

of learning even partial information she could not

fers steadily decreasing protection against o -line

already have guessed ab out the password. Unfortu-

guessing attacks. Signi cant optimizations have al-

nately, one-way functions are de ned asymptotically

ready b een found to sp eed up the calculation of

with resp ect to their input lengths|an attacker has

MD5 crypt.

negligible probability of inverting a one-way func-

tion on suciently large inputs, but exactly how

Abadi et. al. [1] prop ose strengthening user-chosen

large dep ends on the attacker. Because there is a

passwords by app ending random bits to them. At

xed limit to the size of passwords users will tol-

authentication time, software uses the known part

erate, we need a di erent criterion for functions on

of the password and a hash of the full password to

passwords.

guess the random bits. As hardware gets faster,

one can easily tune this technique by increasing

Informally,wewould like a password scheme to b e

the number of random bits. Unfortunately, pass-

\as go o d as the passwords users cho ose." Given a

word strengthening inherently gives unauthenti-

probability distribution D on passwords, we de ne

cated users the ability to mount o -line guessing

the predictability R D of the distribution to b e the

attacks. Thus, it cannot be combined with tech-

highest probability Prs of any single password s

niques like SRP that attempt to limit the p ossibility

in D : R D = max Prs. A function of a pass-

s2D

of o -line attacks in the rst place.

word is secure if an attacker's probability of learning

any partial information ab out the password is pro-

Finally, many systems rely less directly on password

p ortional to the pro duct of the work she invests and

security for authentication. The p opular ssh [17]

the predictability of the password distribution.

remote login program, for example, allows users to

authenticate themselves using RSA encryption. Ssh

What do es it mean for an attacker to learn partial

servers must have a user's RSA public key, but they

information ab out a password? We de ne partial in-

need not store any information with which to ver-

formation to b e the value of any single-bit predicate

ify user-chosen passwords. The catch is, of course,

on a password. Interesting predicates on passwords

that users must store their private keys somewhere,

might include the rst bit of a password, or the par-

and this usually means on disk, encrypted with a

ity of bits in a password. An attacker can always

password. Worse yet, ssh uses simple 3-DES to

guess certain predicates with high probability|for

encrypt private keys, making the cost of guessing

instance, the trivial predicate P s = 1 which re-

ssh passwords comparable to the cost of computing

turns 1 on all passwords. If a function of a password

crypt. Nonetheless, b ecause of its exibility, ssh's

is secure, however, its output should not let an at-

RSA authentication is a generally b etter approach

tacker guess any predicate more accurately than she bits:

could have without the function's output.

8D; 8A;

More formally, let F s; t b e a function. The argu-

Pr t T; s D; s As; t;

ment s represents a user's secret password, which

0 0

s 6= s ^ F s; t=F s ;t

will be drawn from a probability distribution D .

<jAjR D

The argument t represents any additional non-secret

inputs F might take. Let the values of t b e drawn

from a probability distribution T . We mo del an at-

We should rst note that this de nition matches

tacker as a randomized b o olean circuit , A, that

our intuition ab out a password hashing function like

tries to guess a predicate P ab out a password.

crypt. If users cho ose predictable enough passwords,

The cost of an attack|or the work invested by

knowing a password hash gives adversaries a large

an attacker|is the number of gates in the cir-

advantage|they can compare hashes of the most

cuit, which we denote jAj. We use the notation

p opular passwords to that of the password they are

Pr[v S ;v S ; ::: ; B ] to denote the proba-

1 1 2 2

trying to break. If, additionally, one can guess a

bility of statement B after an exp eriment in which

useful predicate without even lo oking at a password

variables v ;v ;::: are drawn from probability dis-

1 2

hash|for instance by knowing that the third char-

tributions S ;S ;:::, resp ectively. Nowwe can de-

1 2

acter of most passwords is a lower-case letter|then

ne what it means for a password function to resist

clearly an adversary can guess this to o.

attack. Wesay that function F s; tisan-secure

password function if the following hold:

If, however, no single password o ccurs with partic-

ularly high probability, an adversary should need

to exp end a large amount of e ort as measured

1. Finding partial information ab out F 's secret in-

in circuit gates to discover any non-trivial infor-

put is as hard as guessing passwords. Put an-

mation ab out a password. Finally,we also wish to

other way, for any password distribution D and

prevent an attacker from nding other strings that

predicate P , an attacker A who guesses P based

hash to the same value as a password; such strings

on output from F will do almost as well when

may prove equivalent to passwords during authen-

F is computed on unrelated passwords:

tication. The requirement of second preimage re-

sistance guarantees such collisions are hard to nd,

8D; 8P; 8A;

even with knowledge of the original password. It

Pr t T; ::: ; t T; s D;

1 c

also ensures that F do es not ignore any bits of its

b At ;Fs; t ;::: ;t ;Fs; t ;

1 1 c c

password input.

b = P s

The de nition implies that a secure password func-

Pr t T; ::: ; t T; s D;

1 c

tion F s; tmust make non-trivial use of its second

b At ;Fs; t ;::: ;t ;Fs; t ;

1 1 c c

argument, t. To see this, consider that the rst bit

0 0

s D ; b = P s

of F s; 0 is a p erfectly valid predicate on passwords.

An attacker could easily guess this predicate if either

< jAjR D

F ignored its second argument or the string 0 oc-

curred in T with high probability. This p oint is not

2. Finding second preimages is as hard as guess-

merely an academic one. A single-input password

ing passwords. A second preimage of an input

hashing function F s can b e inverted by a circuit

s; t is a di erent password s 6= s for which

large enough to enco de a lo okup table mapping F s

F s; t=F s ;t. Here we mo del the attacker

or suciently many bits of F s to s. The size of

A as a randomized circuit with multiple output

such a circuit dep ends only on the probability dis-

tribution of the passwords, not on the particulars

Bo olean circuits are a complexity theoretic abstraction.

A b o olean circuit is an acyclic collection of interconnected

of F .

gates. Each gate computes a b o olean function of 0, 1 or 2

single-bit inputs. A randomized b o olean circuit takes a cer-

As prop osed by Morris and Thompson [9], however,

tain numb er of random input bits in addition to its regular

lo okup tables can b e thwarted with the second in-

inputs.

put to F , which they call a salt. If a random salt

is chosen whenever users establish new passwords, and if the salt space is large enough to ensure a neg-

ligible probability of recurrence, lo okup tables o er p ossible for the setting in which it will op erate. The

an adversary no advantage; he mayaswell compute designers of crypt failed to do this. They based crypt

F at the time of attack. If, on the other hand, the on DES [10], a particularly inecient algorithm to

salt space is to o small, the output bits of F b ecome implement in software b ecause of many bit transp o-

useful predicates on passwords, a fact exploited by sitions. They discounted hardware attacks, in part

the QCrack [12] program describ ed in Section 6. b ecause crypt cannot b e calculated with sto ck DES

hardware. Unfortunately, Biham [4] later discovered

While salted passwords defeat lo okup tables, given a software technique known as bitslicing that elim-

a particular salt and hash, an adversary can still inates the cost of bit transp ositions in computing

mount a brute force attackbyevaluating F s; ton many simultaneous DES encryptions. While bitslic-

every p ossible password. It follows that the b est se- ing won't help anyone log in faster, it o ers a stag-

curity one can achieveis 1=jF j, where jF j is the gering sp eedup to brute force password searches.

cost in gates of implementing F . Usability require-

ments therefore e ect a lower limit on |if p eople In general, a password algorithm, whatever its cost,

can only tolerate a one second delay for checking should execute with near optimal eciency in any

passwords, F can take at most one second to eval- setting in which it sees legitimate use, while o ering

uate. F should not take signi cantly less, however, little opp ortunity for sp eedup in other contexts. It

as this would unnecessarily weaken security. should rely heavily on a CPU's fast instructions|

for instance addition, bitwise exclusive-or, shifts,

The numb er of gates jAj that an adversary can rea- and memory access to state that ts in a pro cessor's

sonably muster for an attack increases constantly rst level cache. Ideally these op erations should all

as hardware improves. Fortunately, so do es the b e p ortably accessible from high-level languages like

sp eed of machines that must legitimately evaluate C, so as to minimize the b ene t of hand-co ded as-

F . That means passwords should not b e hashed by sembly language implementations. Conversely, the

a single function F with xed computational cost, algorithm should avoid op erations like bit transp o-

but rather by one of a family of functions with ar- sition on which customized hardware enjoys a large

bitrarily high cost. Instead of rep eatedly throwing advantage.

out functions like crypt and MD5 crypt to start over

with more exp ensive but incompatible ones, systems A password function should also not lend itself to

should allow the cost of any password manipulation any kind of pip elined hardware implementation. It

software to scale gracefully with a tunable param- should p ermit relatively little sp eedup from any

eter. Thus, can decrease as fast as hardware im- kind of precomputation|for instance, hashing 1,000

proves and users will tolerate. Compromised pass- passwords with the same salt and hashing one pass-

word databases will then enjoy maximum security word under 1,000 salts should each cost 1,000 times

against o -line attacks. more than hashing a single password.

In summary, a good password function makes ex-

tracting any partial information ab out passwords

4 Eksblow sh Algorithm

as dicult as guessing passwords. A concrete pa-

rameter, , should characterize this diculty. To

Wenow describ e a cost parameterizable and salted

achieve low values of , a password function must

blo ck cipher that we call eksblow sh for exp ensive

take a second input, the salt, that prevents adver-

key schedule blow sh. Eksblow sh is designed to

saries from b ene ting from large lo okup tables. The

take user-chosen passwords as keys and resist at-

b est value of is inversely prop ortional to the cost

tacks on those keys. As its base we use the blow-

of evaluating a password function. This establishes

sh [15] blo ck cipher by Schneier, which is well-

a lower limit for based on the maximum tolera-

established and has b een fairly well analyzed.

ble cost of evaluating F during legitimate use. As

hardware sp eeds constantly improve, a good pass-

Blow sh is a 64-bit blo ck cipher, structured as a 16-

word scheme should allow the cost of F to increase

round Feistel network [14]. It uses 18 32-bit subkeys,

gradually so that can decrease over time.

P ;::: ;P , which it derives from the encryption

1 18

key. The subkeys are known collectively as the P-

One nal criterion for a go o d password function is

Array.

then to minimize the value jF j. That means one

should make any password function as ecient as

Blow sh encrypts by splitting a 64-bit input blo ck

Plaintext

w shSetup cost, salt, key

32 bit64 bit 32 bit EksBlo

state InitState

ExpandKey state, salt, key 32 bit state

cost

2 32 bit 32 bit rep eat

state ExpandKey state,0, salt

state ExpandKey state,0, key

return state P2

Eksblow sh, exp ensivekey schedule blow-

13 More Iterations Figure 2:

sh, is a cost parameterizable and salted variation

P16

of the blow sh blo ck cipher.

w sh encrypts identically to Blow sh. The

P18 P17 Eksblo

wo di er in the functions they use to transform en-

32 bit 32 bit t

keys into subkeys and S-b oxes. Figure 2 64 bit cryption

Ciphertext

sketches EksBlow shSetup, the algorithm used by

eksblow sh. EksBlow shSetup has three input pa-

Figure 1: Blow sh Feistel network with F b eing the

rameters: a cost, a salt, and the encryption key. It

Feistel function, using only mo dular addition and

returns a set of subkeys and S-b oxes, also known as

XOR.

a key schedule.

into two 32-bit halves, L and R . The most-

The cost parameter controls how exp ensive the key

0 0

signi cant half, L ,isXORed with subkey P , and

schedule is to compute. The salt is a 128-bit value

0 0

used as input for a function F . The result of that

that mo di es the key schedule so that the same key

function is XORed with the least-signi cant half,

need not always pro duce the same result, as moti-

R . The two halves are then swapp ed, and the

vated by Section 3. Finally, the key argumentisa

whole pro cess rep eated another 15 times for a to-

secret encryption key, which can be a user-chosen

tal of 16 iterations. Thus, for 1 i 16, letting

password of up to 56 bytes including a terminating

denote XOR:

zero byte when the key is an ASCI I string.

R = L P ;

i i1 i

EksBlow shSetup b egins by calling InitState, a func-

L = R F R :

i i1 i

tion that copies the digits of the number rst into

the subkeys, then into the S-b oxes.

After 16 rounds, the two halves are swapp ed again

undoing the e ect of the 16th swap, and each half

ExpandKeystate, salt, key mo di es the P-Array

is XORed with another 32-bit subkey:

and S-b oxes based on the value of the 128-bit salt

R = L P ;

17 16 17

and the variable length key. First it XORs all the

L = R P :

subkeys in the P-array with the encryption key. The

17 16 18

rst 32 bits of the key are XORed with P , the next

This pro cess is illustrated graphically in Figure 1.

32 bits with P , and so on. The key is viewed as

b eing cyclic; when the pro cess reaches the end of

The function F in Blow sh uses four arrays,

the key, it starts reusing bits from the b eginning to

S ;::: ;S , derived from the encryption key. Each

1 4

XOR with subkeys.

array contains 256 32-bit words. The arrays act

as substitution b oxes or S-boxes, replacing an 8-bit

Subsequently, ExpandKey blow sh-encrypts the

input with a 32-bit output. F splits its 32-bit in-

rst 64 bits of its salt argument using the current

put into four 8-bit bytes, a, b, c, and d, with a the

state of the key schedule. The resulting ciphertext

most signi cantbyte. It replaces eachbyte by the

replaces subkeys P and P . That same ciphertext is

1 2

contents of an S-b ox, and combines the results as

also XORed with the second 64-bits of salt, and the

follows: Letting signify addition mo dulo 2 :

result encrypted with the new state of the key sched-

ule. The output of the second encryption replaces

F a; b; c; d= S [a] S [b] S [c] S [d]:

1 2 3 4

subkeys P and P . It is also XORed with the rst

3 4

b crypt cost, salt, pwd

64-bits of salt and encrypted to replace P and P .

5 6

state EksBlow shSetup cost, salt, key

The pro cess continues, alternating b etween the rst

ctext \OrpheanBeholderScryDoubt"

and second 64 bits salt. When ExpandKey nishes

rep eat 64

replacing entries in the P-Array, it continues on re-

ctext EncryptECB state, ctext

placing S-b oxentries two at a time. After replacing

return Concatenate cost, salt, ctext

the last two entries of the last S-b ox, S [254] and

S [255], ExpandKey returns the new key schedule.

In computing ExpandKeystate, 0, key, a blo ckof

Figure 3: The b crypt algorithm for hashing UNIX

128 0 bits is used instead of the salt. This is equiv-

passwords, based on eksblow sh.

alent to a single iteration of the standard blow sh

key schedule. The call to ExpandKeystate, 0, salt

simply treats the salt as a 16-byte key.

time is sp ent in the exp ensivekey schedule. Follow-

ing that, the 192-bit value \OrpheanBeholderScry-

After calling InitState to ll a new key schedule with

Doubt" is encrypted 64 times using eksblow sh in

the digits of , EksBlow shSetup calls ExpandKey

ECB mo de with the state from the previous phase.

with the salt and key. This ensures that all sub-

The output is the cost and 128-bit salt concatenated

sequent state dep ends on b oth, and that no part

with the result of the encryption lo op.

of the algorithm can b e precomputed without b oth

salt and key. Thereafter, ExpandKey is alternately

In Section 3, we derived that an -secure pass-

cost

called with the salt and then key for 2 iterations.

word function should ful ll several imp ortant cri-

For all but the rst invo cation of ExpandKey, the

teria: second preimage-resistance, a salt space large

second argument is a blo ck of 128 0 bits. This more

enough to defeat precomputation attacks, and an

closely resembles the original blow sh key schedule,

adaptable cost. We b elieve that Bcrypt achieves all

and also allows EksBlow shSetup to b e implemented

three prop erties, and that it can be -secure with

more eciently on CPU architectures with few reg-

useful values of for years to come. Though we can-

isters.

not formally prove bcrypt -secure, any awwould

likely deal a serious blow to the well-studied blow-

We hop e that the unpredictable and changing con-

sh encryption algorithm.

tent of the P-array and S-Boxes will reduce the ap-

plicabilityofyet unknown optimizations. Addition-

5.1 Implementation

ally the eksblow sh S-Boxes require 4 KB of con-

stantly accessed and mo di ed memory. Thus, the

Wehave implemented bcrypt and deployed it as part

S-Boxes cannot be shared across key schedules|

of the Op enBSD op erating system. Bcrypt has b een

separate S-Boxes must exist for every simultaneous

the default password scheme since Op enBSD 2.1.

execution. This vastly limits the usefulness of any

attempts to pip eline the Feistel network in hard-

An imp ortant requirementofany bcrypt implemen-

ware.

tation is that it exploit the full 128-bit salt space.

Op enBSD generates the 128-bit bcrypt salt from an

arcfour arc4random3 key stream, seeded with

5 Bcrypt Algorithm

random data the kernel collects from device timings.

The problems present in traditional UNIX pass-

Op enBSD lets administrators select a password

word hashes led naturally to a new password scheme

hashing scheme through a sp ecial con guration le,

which we call bcrypt, referring to the Blow sh en-

passwd.conf5. passwd.conf allows detailed control

cryption algorithm. Bcrypt uses a 128-bit salt and

over whichtyp e of password to use for a given user

encrypts a 192-bit magic value. It takes advantage

or group. It also p ermits di erent password schemes

of the exp ensivekey setup in eksblow sh.

for lo cal and YP passwords. For bcrypt, one can also

sp ecify the cost. This lets p eople adjust password

The bcrypt algorithm runs in two phases, sketched

veri cation time for increasing pro cessor sp eed. At

in Figure 3. In the rst phase, EksBlow shSetup

the time of publication, the default cost is 6 for a

is called with the cost, the salt, and the password,

normal user and 8 for the sup eruser. Of course,

to initialize eksblow sh 's state. Most of b crypt's

At the time traditional crypt was conceived, it was whatever cost p eople cho ose should b e reevaluated

fast enough for authentication but to o costly for from time to time.

password guessing to be practical. Today, we are

aware that it exhibits three serious limitations: the To di erentiate between passwords hashed by dif-

restricted password space, the small salt space, and ferent algorithms, every password function other

the constant execution cost. In contrast, bcrypt al- than the original crypt pre xes its output with a

lows for longer passwords, has salts large enough version identi er. Thus a single password le can

to b e unique over all time, and has adaptable cost. contain several typ es of password. In the cur-

These limitiations therefore do not apply to bcrypt. rent Op enBSD implementation, bcrypt passwords

start with \$2a$", while MD5 crypt passwords with

\$1$." Because the result of traditional crypt never

b egins with a \$", there is never anyambiguity.

6.1.2 MD5 crypt

MD5 crypt was written byPoul-Henning Kamp for

6 Bcrypt Evaluation

FreeBSD. The main reason for using MD5 was to

avoid problems with American exp ort prohibitions

Because bcrypt has adjustable cost, we cannot

on cryptographic pro ducts, and to allow for a longer

meaningfully evaluate the p erformance of the algo-

password length than the 8 characters used by DES

rithm on its own. Instead, we will place it in the

crypt. The password length is restricted only by

context of two p opular password hashing functions.

MD5's maximum message size of 2 bits. The salt

We describ e various attacks and optimizations these

can vary from 12 to 48 bits.

functions have undergone, and discuss the applica-

bility of the same techniques to bcrypt.

MD5 crypt hashes the password and salt in a num-

b er of di erent combinations to slowdown the eval-

6.1 Comparison

uation sp eed. Some steps in the algorithm makeit

doubtful that the scheme was designed from a cryp-

tographic p oint of view|for instance, the binary

In the following, we give a brief overview of two

representation of the password length at some p oint password hashing functions in widespread use to day,

determines which data is hashed, for every zero bit and state their main di erences from bcrypt.

the rst byte of the password and for every set bit

the rst byte of a previous hash computation.

6.1.1 Traditional crypt

The output is the concatenation of the version iden-

ti er \$1$", the salt, a \$" separator, and the 128-

Traditional crypt3's design rationale dates backto

bit hash output.

1976 [9]. It uses a password of up to eightcharacters

asakey for DES [10]. The 56-bit DES key is formed

MD5 crypt places virtually no limit on the size

by combining the low-order 7 bits of eachcharacter

of passwords, while bcrypt has a maximum of

in the password. If the password is shorter than 8

55 bytes. We do not consider this a serious lim-

characters, it is padded with zero bits on the right.

itation of bcrypt, however. Not only are users un-

likely to cho ose such long passwords, but if they did,

A 12-bit salt is used to p erturb the DES algorithm,

MD5 crypt 's 128-bit output size would b ecome the

so that the same password plaintext can pro duce

limiting factor in security. A brute force attacker

4,096 p ossible password encryptions. A mo di ca-

could more easily nd short strings hashing to the

tion to the DES algorithm, swapping bits i and i +24

same value as a user's password than guess the ac-

in the DES E-Box output when bit i is set in the

tual password. Finally, like DES crypt, MD5 crypt

salt, achieves this while also making DES encryption

has xed cost.

hardware useless for password guessing.

6.2 Attacks and Vulnerabilities

The 64-bit constant \0" is encrypted 25 times with

the DES key. The nal output is the 12-bit salt

Once an attacker has obtained a list of password

concatenated with the encrypted 64-bit value. The

hashes, passwords can b e guessed by comparing the

resulting 76-bit value is reco ded into 13 printable

target list to a list of hashes of candidate passwords.

ASCI I characters.

10 26 36 52 62 95

n digits lowercase lowercase mixed case mixed case keyb oard

alphanumeric alphanumeric characters

4 0:04 sec 1:9 sec 7 sec 30:5 sec 61:6 sec 5:7 min

5 0:4 sec 49:5 sec 4:2 min 26:4 min 1:1 hours 9 hours

6 4:2 sec 21:5 min 2:5 hours 22:9 hours 2:7 days 35:5 days

7 41:6 sec 9:3 hours 3:8 days 49:6 days 169 days 9:2 years

8 6:9 min 10 days 136 days 7 years 28:8 years 875 years

9 1:2 hours 261 days 13:4 years 366 years 1786 years 83180 years

Table 1: Time required to test a single password against a sp eci ed password space when b eing able to

p erform 240; 000 evaluations of crypt p er second. Password spaces ab ove the separation can b e searched

completely within 4 days. However this do es not imply that passwords chosen from b elow the separation

are secure against password guessing. These times are normal for traditional crypt nowadays.

roughly b e determined as This task is facilitated by the fact that users tend to

cho ose predictable passwords. In the following, we

numb er of passwords

will present commonly used techniques and evaluate

numb er of di erent salts

how they a ect the securityof bcrypt.

The most common metho d is known as a dictionary

If salts are generated with a go o d random number

attack. It is based on the knowledge that many

generator, the exp ected numb er of di erent salts for

users cho ose their passwords in a very predictable

n password entries with s p ossible salts is

way. Often a user's password can b e found in a dic-

tionary or is the name of a close relative with small

mo di cations, e.g., \Susan1" or \neme$i$". The at-

s 1

tacker compiles a list of common names and words.

n 1n

EV n; s= = s s 1 s :

For a given salt, the words in the list are hashed

i=0

with the password scheme and compared with en-

tries of the same salt in the password le. If there

is a match, the plaintext password has b een found.

Ina15; 000 entry password le, a space of 2 salts

ensures with high probability that every salt will b e

Commonly, lists of likely passwords contain hun-

unique. For 2 p ossible salts, on the other hand, we

dreds of thousands of words. A dictionary attack

can only exp ect ab out 3; 991 di erent salts. At2

is only feasible when the one-way function can be

p ossible salts, the numb er b ecomes 14; 994. In prac-

computed quickly. Bcrypt 's cost can be made as

tice, however, we nd that the numb er of salt colli-

high as tolerable by legitimate users, rendering dic-

sions is generally higher than exp ected. The reason

tionary attacks impractically slow.

is that many op erating systems generate p o or ran-

dom numb ers.

6.2.1 Salt Collisions

6.2.2 Precomputing Dictionaries

A salt col lision o ccurs when two password enco d-

ings use the same salt. Ideally, there should b e no

Using precomputation, an attacker can build a list

salt col lisions|the salts of di erent password en-

of the hashes of every common password under ev-

co dings should be di erent even across password

ery p ossible salt, and store this list on mass data

les. Because traditional crypt uses only 4,096 dif-

storage. Inverting the hash of a common password

ferent salts, it leads to many collisions, as illus-

then b ecomes a simple lo okup in a database, with

trated in Figure 4. To optimize dictionary attacks,

little computational cost.

an attacker can group encrypted passwords by salt,

and hash each candidate password from a dictio-

The 1934 edition of the Webster Dictionary con-

nary only once p er salt. The resulting sp eedup can

tains, after truncation to 8 characters and duplicate

removal, 171,395 unique entries. Using standard

h he called bitslicing [4]. By 4000 mization of DES whic

> 2^41 2^12

replacing DES's S-Boxes with a logic gate circuit, One

3000 one can reduced DES to a set of bit op erations.

can then treat a 64-bit pro cessor as 64 parallel one-

h implementing the circuit. 2000 bit pro cessors, eac

1000 On a 300MHz Alpha 8400 pro cessor, Biham gained ab out a factor of 5 sp eedup using bitsliced DES. His

Number of different salts

tation encrypted 137 Mb/sec on average, 0 implemen

0 4000 8000 12000

to Eric Young's lib des, which achieved

Number of password file entries compared

only 28 Mb/sec.

Figure 4: Distribution of exp ected di erent salts

For MD5 crypt the situation is similar. In \John

dep ending on the salt space against the number of

the Ripp er" [5] a considerable sp eedup was made

entries in a password le.

by simplifying MD5 crypt 's central computing lo op.

Bitslicing relies on the fact that DES's S-b oxes are

crypt, the result of hashing every dictionary word

xed and well known. In contrast, Bcrypt 's S-b oxes

under every p ossible 12-bit salt would t on a single

change constantly over the course of the algorithm,

9 GB hard disk.

and take on di erent values for every combination

of password and salt. Bitslicing cannot b e applied

One can do b etter, however, by storing less than the

to bcrypt.

full output of crypt in a database. The QCrack [12]

password cracking program takes exactly this ap-

proach. QCrack precomputes a database of common

passwords hashed under every salt. Rather than

6.2.4 Hardware Improvements

store the full 13 character output of crypt, it further

hashes crypt 's output down to a single byte. When

In 1977 on a VAX-11/780, crypt could b e evaluated

cracking a password from the dictionary, QCrack

ab out 3:6 times per second. In the last 20 years,

uses the database to rule out 255 of every 256 can-

machine sp eed has increased dramatically and the

didate passwords without needing to compute their

algorithm has b een optimized in various ways.

hashes. A QCrack database of the Webster Dic-

tionary consumes only 670 MB. QCrack could store

The Electronic Frontier Foundation built a DES

hashes of approximately 2; 350; 000 words on a 9 GB

cracker in 1998 and was able to crack a 56-bit key in

hard disk.

56 hours with an average search rate of ab out 88 10

keys per second [6]. While the EFF DES cracker

Bcrypt has a large enough salt space to make stor-

cannot b e used for password guessing, a comparable

ing even one bit of information p er salt completely

machine could crack traditional crypt by brute force

intractable. Moreover, the algorithm makes imme-

in 22 days, compared to 875 years on the fastest al-

diate use of the password and salt from the very b e-

pha pro cessor to whichwe had access.

ginning. Thus, b efore knowing a target password's

salt, there is not even an intermediary state of the

The impact of increasing pro cessor sp eed and b etter

algorithm that can b e usefully precomputed.

optimization of the password hashing algorithm is

shown in Figure 5.

6.2.3 Algorithm Optimization

Both traditional and MD5 crypt op erate with a

xed numb er of rounds. On a mo dern Alpha pro ces-

sor, traditional crypt can already b e computed fast

Since a guessing attack on a password function in-

enough to render it unusable with readable pass-

volves rep eated evaluation of the function, any op-

word les. When using sp ecialized DES hardware,

timization of the function will reduce the compu-

the computing time can b e reduced again by several

tational cost of an attack, making the attack more

orders of magnitude.

practical.

Neither traditional nor MD5 crypt supp ort avari-

Biham recently discovered a notable software opti- 214000 crypts/sec

12500 Traditional DES Crypt 10000 Bitsliced DES Crypt 850 2500 MD5 Crypt 1000 BCrypt (2**5 rounds) 335 * estimated 100 69 62.5 22.5

10 6.5 3.6

Original Generic Library John the Ripper V1.5 John the Ripper V1.5 VAX-11/780* OpenBSD 2.3 x86 Assembler

1977 P5 133 MHz P5 133 MHz Alpha 21164A 600MHz

Figure 5: Impact of Algorithm Optimization and Advance in Pro cessors

able number of rounds. With increasing pro cess- it compares favorably to the two previous hash-

ing p ower, these functions b ecome steadily easier to ing algorithms. No surprise optimizations haveyet

compute. In contrast, bcrypt will adapt to more turned up. As hardware sp eeds increase, Op enBSD

powerful attackers. Moreover, its inner lo op re- lets one preserve the cost of o -line password crack-

lies exclusively on op erations that are ecient on ing by tuning a simple con guration le.

general-purp ose CPUs, leaving little opp ortunity for

sp ecialized hardware to achieve dramatic improve-

ments.

8 Acknowledgments

We thank Solar Designer for helpful discussions on

7 Conclusion

optimization and aws of password schemes. We

further thank Angelos D. Keromytis, Peter Honey-

man, Rob ert T. Morris, and Frans Kaasho ek for re-

Many authentication schemes dep end on secret

marks and suggestions.

passwords. Unfortunately, the length and entropy

of the passwords users cho ose remain xed over

time. In contrast, hardware constantly improves,

References

giving attackers increasing computational power.

As a result, password schemes including the tradi-

[1] Mart n Abadi, T. Mark A. Lomas, and Roger Need-

tional UNIX user-authentication system are failing

ham. Strengthening passwords. Technical note

to withstand o -line password guessing attacks.

1997-033, DEC Systems Research Center, Septem-

b er 1997.

In this pap er, we formalize the notion of a password

[2] Steven M. Bellovin and Michael Merritt. Encrypted

scheme \as good as the passwords users cho ose,"

key exchange: Password-based proto cols secure

and show that the computational cost of such a

against dictionary attacks. In Proceedings of the

scheme must necessarily increase with the sp eed of

1992 IEEE Symposium on Security and Privacy,

hardware. We prop ose two algorithms of parame-

Oakland, CA, May 1992.

terizable cost for use with passwords. Eksblow sh,a

[3] Steven M. Bellovin and Michael Merritt. Aug-

blo ck cipher, lets one safely store encrypted private

mented encrypted key exchange. In Proceedings

keys on disk. Bcrypt, a hash function, can replace

of the First ACM Conference on Computer and

the UNIX password hashing function or serve as

Communications Security, pages 224{250, Oak-

land, CA, Novemb er 1993.

a front-end to secure password proto cols like SRP.

We have deployed bcrypt as part of the Op enBSD

[4] Eli Biham. A Fast New DES Implementation in

op erating system's password authentication. So far, Software. In Fast Software Encryption, 4th In-

ternational Workshop Proceedings, pages 260{271.

Springer-Verlag, 1997.

[5] Solar Designer. John the Ripp er.

http://www.false.com/security /john .

[6] Electronic Frontier Foundation. Cracking DES.

O'Reilly and Asso ciates, 1998.

[7] Li Gong, T. Mark A. Lomas, Roger M. Needham,

and Jerome H. Saltzer. Protecting p o orly chosen

secrets from guessing attacks. IEEE Journal on

SelectedAreas in Communications, 115:648{656,

June 1993.

[8] Shai Halevi and Hugo Krawczyk. Public-key cryp-

tography and password proto cols. In Proceedings of

the 5th ACM Conference on Computer and Com-

munications Security, 1998.

[9] Rob ert Morris and Ken Thompson. Password Secu-

rity: A Case History. Communications of the ACM,

2211:594{597, Novemb er 1979.

[10] National Bureau of Standards. Data Encryption

Standard, January 1977. FIPS Publication 46.

[11] Sarvar Patel. Numb er theoretic attacks on secure

password schemes. In Proceedings of the 1997 IEEE

Symposium on Security and Privacy, pages 236{

247, Oakland, CA, May 1997.

[12] QCrack. ftp://chaos.infospace.com/pu b/

qcrack/qcrack-1.02.tar.gz.

[13] R. L. Rivest. The MD5 Message Digest Algorithm.

RFC 1321, Apr 1992.

[14] Michael Ruby. Pseudorandomness and Crypto-

graphic Applications. Princeton Computer Science

Notes, 1996.

[15] Bruce Schneier. Description of a New Variable-

Length Key, 64-Bit Blo ck Cipher Blow sh. In

Fast Software Encryption, Cambridge Security

Workshop Proceedings, pages 191{204. Springer-

Verlag, Decemb er 1993.

[16] Thomas Wu. The secure remote password proto col.

In Proceedings of the 1998 Internet Society Network

and Distributed System Security Symposium, pages

97{111, San Diego, CA, March 1998.

[17] Tatu Ylonen. SSH { secure login connections over

the Internet. In Proceedings of the 6th USENIX

Security Symposium, pages 37{42, July 1996.