STUMP - STalling offline password attacks Using pre-hash ManiPulations

Offline password cracking has seen significant advances in recent years. This is mainly due to a dramatic increase in accessible computational speeds and the increased exploitation of GPUs for parallel processing. Cheaper and faster hardware, combined with new techniques, have allowed inexpensive GPUs to crack passwords at rates which only supercomputers could achieve previously. One inexpensive mitigation technique that we have uncovered is built on the core idea of pre-hash password manipulations. Our technique is named STUMP. Through rigorous empirical analysis, we demonstrate that STUMP can prevent offline parallel attacks - including pre-computed attacks utilizing rainbow tables - from cracking 99.718% of passwords that are <;8-characters in length; STUMP has also shown to completely prevent the attacker from cracking passwords that are ≥ 8 characters in length i.e., (100% secure). Finally, for all cases, STUMP can be employed to stall the attacks - regardless of whether the attack is a laborious brute-force technique or a more intelligent dictionary attack - as neither will return the user´s original password.