Computational Security and the Economics of Password Hacking -methods to prevent hacking
In cryptography, a security parameter is a way of measuring of how “hard” it is for an adversary to break a cryptographic scheme.
There are two main types of security parameter: Computational and statistical.
The computational security parameter is a measure for the input size of the computational problem on which the cryptographic scheme is based whereas the statistical security parameter is a measure of the probability with which an adversary can break the scheme
Suppose that company A was just hacked, and that the usernames and password hashes have all been stolen. Assuming that company A has been following good password storage practices:
1) Company A hashes all of their passwords with a strong cryptographic hash function.
2) Company A salts all of their password hashes.
Let Cg to be the amortized cost per guesses for the adversary. let pi denote the probability that the adversary succeeds on the i’th guess and let BA denote the adversaries expected benefit in cracking the password. A sufficient condition to prevent password cracking activity is:
Cg ≥ pi BA.
Cg ≥ pi BA
1. Increasing the cost of guessing (Cg):
a. Companies should use strong password hashes like bcrypt ,SHA-256 to store their passwords in addition to salting passwords.
b. User’s could use a password manager to ensure that the passwords are salted and hashed (using bcrypt,SHA-256) before the passwords are ever transmitted to a company.
2. Decreasing the probability of a successful guess (pi):
Users should select strong passwords, which are difficult to guess even if the adversary has background knowledge.
3. Decreasing the benefit of a cracked password (BA):
a. Users should not reuse the same passwords!
b. Pay attention to account activity (e.g., automatic alerts for large transactions).
c. Companies should have strong fraud detection/prevention