New developments in password hashing: ROM-port-hard functions (building upon the ideas of scrypt and security through obesity)

Like it or not, password authentication remains relevant (including when used as one of several authentication factors), and password hash database leaks remain a risk. To mitigate the risk impact, computationally expensive (bcrypt, PBKDF2) and more recently also memory-hard (scrypt) password hashing methods have been introduced. Unfortunately, at relatively low target running time and with the need to perform multiple authentication attempts concurrently, scrypt's memory cost ends up being unreasonably low, up to the point where scrypt may not be better than the much older bcrypt. In this talk, Solar Designer proposes and discusses the pros and cons of an alternative approach, where an arbitrarily large lookup table may be used along with any target running time and in parallel by multiple concurrent authentication attempts. With contemporary server hardware, the lookup table may occupy tens of gigabytes of RAM (using it as a site-specific ROM), which limits attackers' use of pre-existing hardware (such as botnet nodes), thereby buying the defender time. Further development of the approach is in use of not only RAM, but also SSDs and potentially even a NAS/SAN based on SSDs. This achieves goals similar to those of the "blind hashing" concept, later dubbed "security through obesity".