Check out the new USENIX Web site. next up previous
Next: Salt Collisions Up: Bcrypt Evaluation Previous: MD5 crypt

Attacks and Vulnerabilities

Once an attacker has obtained a list of password hashes, passwords can be guessed by comparing the target list to a list of hashes of candidate passwords. This task is facilitated by the fact that users tend to choose predictable passwords. In the following, we will present commonly used techniques and evaluate how they affect the security of bcrypt.

The most common method is known as a dictionary attack. It is based on the knowledge that many users choose their passwords in a very predictable way. Often a user's password can be found in a dictionary or is the name of a close relative with small modifications, e.g., ``Susan1'' or ``neme$i$''. The attacker compiles a list of common names and words. For a given salt, the words in the list are hashed with the password scheme and compared with entries of the same salt in the password file. If there is a match, the plaintext password has been found.

Commonly, lists of likely passwords contain hundreds of thousands of words. A dictionary attack is only feasible when the one-way function can be computed quickly. Bcrypt's cost can be made as high as tolerable by legitimate users, rendering dictionary attacks impractically slow.



 
next up previous
Next: Salt Collisions Up: Bcrypt Evaluation Previous: MD5 crypt
Niels Provos and David Mazieres
4/28/1999