The Password Hashing Competition

Presented at Kiwicon 9: Cyberwar Is Hell (2015), Dec. 10, 2015, noon (30 minutes)

The secure storage of passwords on servers has been a long-standing problem that rears its head again and again (coughAshley Madisoncough). In 2013 a group of security people lead by cryptographer Jean-Philippe Aumasson initiated the Password Hashing Competition (PHC), an attempt to design a new, state-of-the-art password-processing algorithm using the competitive process that gave us AES and SHA-3. This talk looks at the recently-completed PHC process, both from the technical side (it inspired enormous advances in the state of the art in password-processing design) as well as the ins and outs of running a competitive process to select an algorithm that has to withstand attack by CPUs, GPUs, FPGAs, and ASICs (think Bitcoin miners), not to mention a peanut gallery of geeks all over the world. The focus of the talk is more on the mechanisms of the selection process and the decisions and tradeoffs that were made than on the low-level technical details.


  • Peter Gutmann
    Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit, "Cryptographic Security Architecture: Design and Verification" (Springer, 2003), and an upcoming book on security engineering. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about the lack of consideration of human factors in designing security systems.


Similar Presentations: