Cryptology ePrint Archive: Report 2015/387

Method to Protect Passwords in Databases for Web Applications

Scott Contini

Abstract: Trying to make it more difficult to hack passwords has a long history. However the research community has not addressed the change of context from traditional Unix mainframe systems to web applications which face new threats (DoS) and have fewer constraints (client-side computation is allowed). In absence of updated guidance, a variety of solutions are scattered all over the web, from amateur to somewhat professional. However, even the best references have issues such as incomplete details, misuse of terminology, assertion of requirements that are not adequately justified, and too many options presented to the developer, opening the door to potential mistakes. The purpose of this research note is to present a solution with complete details and a concise summary of the requirements, and to provide a solution that developers can readily implement with confidence, assuming that the solution is endorsed by the research community. The proposed solution involves client-side processing of a heavy computation in combination with a server-side hash computation. It follows a similar approach to a few other proposals on the web, but is more complete and justified than any that we found.

Category / Keywords: applications / authentication, passwords

Date: received 25 Apr 2015

Contact author: thegreatcontini at fastmail fm

Available format(s): PDF | BibTeX Citation

Version: 20150429:130316 (All versions of this report)

Short URL: ia.cr/2015/387

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]