Paper 2015/265

Password Hashing Competition - Survey and Benchmark

George Hatzivasilis, Ioannis Papaefstathiou, and Charalampos Manifavas

Abstract

Password hashing is the common approach for maintaining users' password-related information that is later used for authentication. A hash for each password is calculated and maintained at the service provider end. When a user logins the service, the hash of the given password is computed and contrasted with the stored hash. If the two hashes match, the authentication is successful. However, in many cases the passwords are just hashed by a cryptographic hash function or even stored in clear. These poor password protection practises have lead to efficient attacks that expose the users' passwords. PBKDF2 is the only standardized construction for password hashing. Other widely used primitives are bcrypt and scrypt. The low variety of methods derive the international cryptographic community to conduct the Password Hashing Competition (PHC). The competition aims to identify new password hashing schemes suitable for widespread adoption. It started in 2013 with 22 active submissions. Nine finalists are announced during 2014. In 2015, a small portfolio of schemes will be proposed. This paper provides the first survey and benchmark analysis of the 22 proposals. All proposals are evaluated on the same platform over a common benchmark suite. We measure the execution time, code size and memory consumption of PBKDF2, bcrypt, scrypt, and the 22 PHC schemes. The first round results are summarized along with a benchmark analysis that is focused on the nine finalists and contributes to the final selection of the winners.

Note: This paper provides the first survey and benchmark analysis of the Password Hashing Competition (PHC) submissions.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint. MINOR revision.
Keywords
PHCpassword hashingkey deviation
Contact author(s)
gchatzivasilis @ isc tuc gr
History
2015-03-23: received
Short URL
https://ia.cr/2015/265
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/265,
      author = {George Hatzivasilis and Ioannis Papaefstathiou and Charalampos Manifavas},
      title = {Password Hashing Competition - Survey and Benchmark},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/265},
      year = {2015},
      url = {https://eprint.iacr.org/2015/265}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.