Distributed Credential Protection: Trying to beat the hackers and protect our passwords

Oct 10, 2012 by Bob Yirka report

(Phys.org)—Recent breaches at LinkedIn and Yahoo have heightened the public's concern about password protection. At LinkedIn, millions of user passwords were found and publicly posted. And at Yahoo, hackers broke into a server and stole passwords which were then used to breach other accounts with the same passwords in use. In response, computer security company RSA has developed a technique that it claims can prevent hackers from gaining access to user passwords on servers.

The idea is based on a technique called threshold cryptography, where data is taken apart, encrypted, and stored in separate pieces on different servers. Until now, the practice has primarily been restricted to use by sites that require very high security, such as those that deal with financial data. RSA is proposing a similar technique it calls Distributed Credential Protection (DCP) for use by commercial websites to protect user .

This video is not supported by your browser at this time.

With DCP, user passwords are split into two strings of data with each piece saved to a separate server. When a user into the system, the password is split into two separate strings, each of which is sent to one of the password servers. There, it is joined, in random fashion, with the half of the password stored on that server to build a new string. To verify the password, the two strings on each server are compared to one another. With this scheme, a hacker would be forced to access both servers in order to gain access to user passwords. And, this process could be further complicated if each server were to run a different . RSA says that to make things even more difficult for , systems administrators could periodically refresh the random half of the strings, which would force those seeking entry to crack both servers within a shorter time frame.

Using DCP would make stealing passwords from website servers significantly more difficult; however, it wouldn't prevent passwords from being stolen directly via on users' computers. To address that threat, RSA recommends that users use different passwords for their various accounts in order to limit the degree of damage that could potentially result if one of them is stolen.

This video is not supported by your browser at this time.


Explore further: Vatican's manuscripts digital archive now available online

More information: www.emc.com/security/rsa-distr… ntial-protection.htm

Press release

Related Stories

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Apple patent sends password secrets to adapters

Jan 06, 2012

(PhysOrg.com) -- First-time computer users in the early days, pre-hacking security traumas, were confronted with a new life requirement: creating and remembering system passwords. Not too easy, users were ...

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Recommended for you

Kickstarter suspends privacy router campaign

3 hours ago

Kickstarter has suspended an anonymizing router from its crowdfunding site. By Sunday, the page for "anonabox: A Tor hardware router" carried an extra word "(Suspended)" in parentheses with a banner below ...

Facebook unfriends federal drug agency

Oct 17, 2014

(AP)—Facebook wants assurances from the Drug Enforcement Administration that it's not operating any more fake profile pages as part of ongoing investigations.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet Oct 10, 2012
systems administrators could periodically refresh the random half of the strings, which would force those seeking entry to crack both servers within a shorter time frame.

A script that worked once will work again if they only refresh the content.
With this scheme, a hacker would be forced to access both servers in order to gain access to user passwords. And, this process could be further complicated if each server were to run a different operating system.

Many databases are compromised via SQL incection. If you use only SQL specific commands for your operations then having it run on different OS will not increase security.
Additionally spreading parts of the security strings around isn't helping: you now need redundant servers (as the MTBF of several locations is shorter than of one location). And compromising two servers instead of one vulnerable to the same script is not much extra bother (one extra keystroke)
IronhorseA
not rated yet Oct 10, 2012
In that case time to require use of some sort of authenticator code generator. But instead of the simple 10 digit ID and 6 digit code generated each time you press the button, instead a longer ID with use of ASCII code and the same for the generated code. It won't make it unbreakable, just easier for the hacker to call attention to them selves by tripping an alarm.