One means of authentication includes the use of a password on computer systems. For example, on UNIX-type systems, the password for an account is stored in a hashed form. To make it harder for an attacker who has access to the hashed password to perform a class of brute force attacks and potentially gain knowledge of several passwords at once, the password is augmented with a small random value, also known as “salt” before it is hashed. The salt value and the hashed password are then stored in association with other account properties. Ordinarily, only passwords are encrypted and protected while other account credentials are not.
Thus, if the password database were to be compromised, an attacker would be able to impersonate any user on the system. As such, it would be desirable to have a technique where if an attacker were to gain access to the encrypted password file, the attacker would have to perform a brute-force attack against both the username and the password.