On the Economics of Offline Password Cracking

Explore an economic model of offline password cracking in this IEEE Symposium on Security & Privacy conference talk. Delve into quantitative predictions about the fraction of accounts a rational attacker would crack after an authentication server breach. Examine analyses of major password breaches at Yahoo!, Dropbox, LastPass, and AshleyMadison, revealing insufficient protection despite key-stretching measures. Discover evidence supporting Zipf's law distribution in user passwords and learn about the finite threshold determining an attacker's optimal strategy. Investigate how memory hard functions like SCRYPT or Argon2i can significantly mitigate offline attack damage. Gain insights into recommended updates for password hashing standards, emphasizing the importance of memory hard functions and discouraging the use of non-memory hard functions like BCRYPT or PBKDF2.