Distinguished Lecture Series

Password (In)Security - You and Zuckerberg on the Same Sinking Ship

  When: Monday, December 05, 2016 from 11:00 AM to 12:00 PM

  Speakers: Hugo Krawczyk

  Location: Research Hall, Room 163


In spite of repeated catastrophic leakages of billions of passwords from popular websites (e.g., the recently published attack on 500M stolen passwords from Yahoo) and the critical role that password vulnerabilities play in most cybersecurity attacks, password authentication is still the prevalent means of authentication in the internet, in commercial enterprises, the government, and in many other sensitive settings. Even when stronger credentials are used for authentication, these are typically protected or retrieved using human-memorizable passwords, thus opening these secrets to phishing and offline attacks upon server compromise.  As much as one would like to dismiss the use of passwords as a bad practice, passwords are here to stay as the indisputable winners of the convenience-vs-security battle. 

But is password insecurity inevitable? Fortunately, cryptography can provide a negative answer to this question.  In this talk we survey progress in this area showing how to armor password protocols against online and offline dictionary attacks by leveraging the availability of a personal device, the connectivity to an online server or via server distribution. In all cases, we achieve maximal-attainable security in the corresponding adversarial setting.

Based on works with S. Jarecki, A. Kiayas, J. Xu N. Saxena and M. Shirvanian.


Hugo Krawczyk is a Distinguished Research Staff Member with the Cryptography Group at the IBM T.J. Watson Research Center. His areas of interest span theoretical and applied aspects of cryptography with particular emphasis on applications to network security, privacy and authentication. Best known are his contributions to the cryptographic design of Internet standards, particularly IPsec, IKE, and TLS, and the co-invention of cryptographic algorithms including the HMAC message authentication function. Dr. Krawczyk has also contributed to the theory and applications of pseudorandomness, zero-knowledge, key exchange, threshold and proactive cryptosystems, and search on encrypted data. His current interests include search on encrypted data, strengthening the security of password protocols, private authentication and revamping the cryptographic design of TLS. Krawczyk is a Fellow of the International Association of Cryptologic Research (IACR) and the recipient of numerous IBM awards, including two corporate awards, for his contributions to the information security industry.  He has also been recognized with the 2015 RSA Award for Excellence in the field of Mathematics.