At Microsoft Research in Redmond, I worked with Stuart Schechter on a project related to password hashing. With others at Microsoft, Stuart had been building a system for secure password storage and, at the start of the summer, he was trying to figure out which of the many password hashing functions he should use in the system. Stuart and I reviewed the designs of the existing algorithms—PBKDF2, bcrypt, scrypt, Argon2, Catena, etc.—and found that none of them satisfied the design criteria we had in mind. In particular, we found that the security properties of most practical schemes relied on rough heuristics rather than on formal analysis and proof.
Undeterred, we set out to design a a new family of password hashing functions in collaboration with Dan Boneh at Stanford. Over the course of the summer (and for a few months afterwards), we designed, analyzed, and implemented the new schemes and wrote a research paper on our result. The paper appeared at Asiacrypt 2016. As part of that work, we also devied a practical attack on the Argon2 password-hashing function, which led to changes in the design of that hash function.