THE ADVANCED COMPUTING SYSTEMS ASSOCIATION
The following paper was originally published in the
Proceedings of the FREENIX Track:
1999 USENIX Annual Technical Conference
Monterey, California, USA, June 6–11, 1999
A Future-Adaptable Password Scheme
Niels Provos and David Mazières
The OpenBSD Project
© 1999 by The USENIX Association
All Rights Reserved
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial
reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper.
USENIX acknowledges all trademarks herein.
For more information about the USENIX Association:
Phone: 1 510 528 8649 FAX: 1 510 548 5738
Email: office@usenix.org WWW: http://www.usenix.org

A Future-Adaptable Password Scheme
Niels Provos and David Mazieres
fprovos,dmg@openbsd.org
The OpenBSD Project
Abstract
Many authentication schemes depend on secret
passwords. Unfortunately, the length and ran-
domness of user-chosen passwords remain xed
over time. In contrast, hardware improvements
constantly give attackers increasing computational
power. As a result, password schemes such as the
traditional UNIX user-authentication system are
failing with time.
This paper discusses ways of building systems in
which password security keeps up with hardware
speeds. We formalize the properties desirable in a
good password system, and show that the compu-
tational cost of any secure password scheme must
increase as hardware improves. We present two al-
gorithms with adaptable cost|eksblowsh, a block
cipher with a purposefully expensive key schedule,
and bcrypt, a related hash function. Failing a ma-
jor breakthrough in complexity theory, these al-
gorithms should allow password-based systems to
adapt to hardware improvements and remain secure
well into the future.
1 Introduction
As microprocessors grow faster, so does the speed
of cryptographic software. Fast cryptography opens
many opportunities for making systems more se-
cure. It renders encryption usable for a wide range
of applications. It also permits larger values of tun-
able security parameters such as key length. In-
creasing security parameters makes cryptography
exponentially (or at least superpolynomially) more
dicult to break, dwarng any benet faster hard-
ware may oer attackers. Unfortunately, one se-
curity parameter|the length and entropy of user-
chosen passwords|does not scale at all with com-
puting power. While many systems require users to
choose secret passwords for authentication, few ac-
tually adapt their algorithms to preserve security in
the face of increasingly powerful attackers.
One widespread use of passwords, and a good ex-
ample of failure to adapt, is the UNIX password
system. UNIX, a multi-user operating system, re-
quires users to prove their identity before accessing
system resources. A user typically begins a session
by providing her username and secret password to a
login program. This program then veries the pass-
word using a system-wide password le. Given the
importance of keeping passwords secret, UNIX does
not store plaintext passwords in this le. Instead,
it keeps hashes of passwords, using a one-way func-
tion, crypt [9], that can only be inverted by guessing
preimages. To verify a password, the login program
hashes the password and compares the result to the
appropriate hash in the password le.
At the time of deployment in 1976, crypt could hash
fewer than 4 passwords per second. Since the only
known way of inverting crypt is to guess preim-
ages, the algorithm made passwords very dicult
to recover from their hashes|so much so, in fact,
that the designers of UNIX felt comfortable leaving
the password le readable by all users. Today, over
20 years later, a fast workstation with heavily opti-
mized software can perform over 200,000 crypt op-
erations per second. Attackers can now expediently
discover plaintext passwords by hashing entire dic-
tionaries of common passwords and comparing the
results to entries in a password le. crypt nonethe-
less still enjoys widespread use, and legacy software
even forces many sites to keep their password les
readable by all users.
Today we have authentication schemes considerably
more sophisticated than the UNIX password le. In
practice, however, implementations of these schemes
still often depend on users remembering secret pass-
words. There are alternatives, such as issuing spe-
cial authentication hardware to users or giving them
printed lists of randomly generated access codes, but
these approaches generally inconvenience users or
incur additional cost. Thus, passwords continue to