Interview with NYU’s Justin Cappos: Our Pathetic Password Protection

My interview is not here at TvB, but over on my other show at the Metadata Era. Professor Cappos is an Associate Professor of Computer Science at NYU Polytechnic School of Engineering. He’s done significant work in cloud computing and security. On that latter point, he’s  the creator of PolyPasswordHasher, a novel approach to protecting passwords.

One of the arguments he makes in the interview is that the OS vendors—read Microsoft—are not doing a very good job at protecting passwords, or more technically password hashes. I’ve written about some long-standing issues with MS’s homegrown authentication technology, known as NTLM. Hackers have been able to pull the password hashes from their software using Pass the Hash (PtH), and therefore get the keys to the Microsoft credential kingdom.

Cappos has an interesting ideas for securing the hashes themselves through a special encryption model. I’ll talk more about his PolyPasswordHasher in another post. In NLTM and in other challenge-response protocols like it, the idea is to hide or protect the hashes from hackers—you don’t want to make them available. With Cappos’s PPH, it’s ok if some “poly” hashes are discovered since they can’t be used by hackers until they’ve pulled out multiple—as in many—hashes! It makes for a more secure system.

Microsoft, by the way, does have a strong security team, as Cappos pointed out. But they can do more, using existing technologies, to stomp out more vulnerabilities