Preprint Open Access

[Preprint] Evaluation of Password Hashing Schemes in Open Source Web Platforms

Ntantogian Christoforos; Malliaros Stefanos; Xenakis Christos

DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="" xmlns="" xsi:schemaLocation="">
  <identifier identifierType="DOI">10.5281/zenodo.2633020</identifier>
      <creatorName>Ntantogian Christoforos</creatorName>
      <affiliation>University of Piraeus</affiliation>
      <creatorName>Malliaros Stefanos</creatorName>
      <affiliation>University of Piraeus</affiliation>
      <creatorName>Xenakis Christos</creatorName>
      <affiliation>University of Piraeus</affiliation>
    <title>[Preprint] Evaluation of Password Hashing Schemes in Open Source Web Platforms</title>
    <subject>Web Application Frameworks</subject>
    <subject>Guessing Attacks</subject>
    <subject>Hashing Schemes</subject>
    <date dateType="Issued">2019-04-08</date>
  <resourceType resourceTypeGeneral="Text">Preprint</resourceType>
    <alternateIdentifier alternateIdentifierType="url"></alternateIdentifier>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsVersionOf">10.5281/zenodo.2633019</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="URL" relationType="IsPartOf"></relatedIdentifier>
    <rights rightsURI="">Creative Commons Attribution 4.0 International</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
    <description descriptionType="Abstract">&lt;p&gt;Nowadays, the majority of web platforms in the Internet originate either from CMS to easily deploy websites or by web applications frameworks that allow developers to design and implement web applications. Considering the fact that CMS are intended to be plug and play solutions and their main aim is to allow even non-developers to deploy websites, we argue that the default hashing schemes are not modified when deployed in the Internet. Also, recent studies suggest that even developers do not use appropriate hash functions to protect passwords, since they may not have adequate security expertise. Therefore, the default settings of CMS and web applications frameworks play an important role in the security of password storage. This paper evaluates the default hashing schemes of popular CMS and web application frameworks. First, we formulate the cost time of password guessing attacks and next we investigate the default hashing schemes of popular CMS and web applications frameworks. We also apply our framework to perform a comparative analysis of the cost time between the various CMS and web application frameworks. Finally, considering that intensive hash functions consume computational resources, we analyze hashing schemes from a different perspective. That is, we investigate if it is feasible and under what conditions to perform slow rate denial of service attacks from concurrent login attempts. Through our study we have derived a set of critical observations. The conjecture is that that the security status of the hashing schemes calls for changes with new security recommendations and updates to the default security settings.&lt;/p&gt;</description>
      <funderName>European Commission</funderName>
      <funderIdentifier funderIdentifierType="Crossref Funder ID">10.13039/501100000780</funderIdentifier>
      <awardNumber awardURI="info:eu-repo/grantAgreement/EC/H2020/777996/">777996</awardNumber>
      <awardTitle>Scalable, trustEd, and interoperAble pLatform for sEcureD smart GRID</awardTitle>
      <funderName>European Commission</funderName>
      <funderIdentifier funderIdentifierType="Crossref Funder ID">10.13039/501100000780</funderIdentifier>
      <awardNumber awardURI="info:eu-repo/grantAgreement/EC/H2020/779391/">779391</awardNumber>
      <awardTitle>Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module</awardTitle>
All versions This version
Views 227227
Downloads 235235
Data volume 169.3 MB169.3 MB
Unique views 205205
Unique downloads 223223


Cite as