Essentially, the password hashes are AES encrypted with a shamir secret key that is stored in memory, and on boot up can be unlocked by k of n administrators/power users logging in.
It also presents a technique to weakly verify normal logins between bootup and when the k admins log in by essentially leaking a few bits of entropy of the user's hashed password.
This only protects against attackers accessing the password database/file from disk, not from an attack that compromises memory and the key stored there on a running server. However, in the case that the key is compromised, this is no worse than best practices used today.
Assuming the admins use strong passwords, this requires potential crackers to crack k strong admin passwords at once if they only have the file.
"How hard is it to crack passwords stored using this technique?"
Suppose that three people have passwords that are each randomly chosen and 6 characters long. A typical laptop can crack those passwords in about 1 hour.
If you take the same passwords and protect them with PolyPassHash, every computer on the planet working together cannot crack the password in 1 hour. In fact, to search the key space, it would take every computer on the planet longer than the universe is estimated to have existed.
If it sounds too good - it probably is. Can anyone with a strong cryptography background explain if this idea has merit or if it is simply pixie dust.
I'm not a crypto expert, but I like to think I'm relatively well informed and able to spot obvious bullshit when it comes to this stuff. Going on the description given on GitHub, but not the paper yet, it sounds plausible.
"Extremely weak passwords are a bad idea. An attacker can guess things like password, etc. and just try them even if they do not have the database. So do not use them regardless of the storage technology.
Another thing PolyPassHash does not protect against is password reuse. Do not use the same password on multiple sites no matter how strong it is! We recommend using a password manager that generates a separate, strong password per site."
If they recommend using a password manager then what additional security does this scheme provide? Presumably your password manager generates strong, unique passwords.
It also presents a technique to weakly verify normal logins between bootup and when the k admins log in by essentially leaking a few bits of entropy of the user's hashed password.
This only protects against attackers accessing the password database/file from disk, not from an attack that compromises memory and the key stored there on a running server. However, in the case that the key is compromised, this is no worse than best practices used today.
Assuming the admins use strong passwords, this requires potential crackers to crack k strong admin passwords at once if they only have the file.