Distributed Credential Protection: Trying to beat the hackers and protect our passwords

October 10, 2012 by Bob Yirka report

(Phys.org)—Recent breaches at LinkedIn and Yahoo have heightened the public's concern about password protection. At LinkedIn, millions of user passwords were found and publicly posted. And at Yahoo, hackers broke into a server and stole passwords which were then used to breach other accounts with the same passwords in use. In response, computer security company RSA has developed a technique that it claims can prevent hackers from gaining access to user passwords on servers.

The idea is based on a technique called threshold cryptography, where data is taken apart, encrypted, and stored in separate pieces on different servers. Until now, the practice has primarily been restricted to use by sites that require very high security, such as those that deal with financial data. RSA is proposing a similar technique it calls Distributed Credential Protection (DCP) for use by commercial websites to protect user .

This video is not supported by your browser at this time.

With DCP, user passwords are split into two strings of data with each piece saved to a separate server. When a user into the system, the password is split into two separate strings, each of which is sent to one of the password servers. There, it is joined, in random fashion, with the half of the password stored on that server to build a new string. To verify the password, the two strings on each server are compared to one another. With this scheme, a hacker would be forced to access both servers in order to gain access to user passwords. And, this process could be further complicated if each server were to run a different . RSA says that to make things even more difficult for , systems administrators could periodically refresh the random half of the strings, which would force those seeking entry to crack both servers within a shorter time frame.

Using DCP would make stealing passwords from website servers significantly more difficult; however, it wouldn't prevent passwords from being stolen directly via on users' computers. To address that threat, RSA recommends that users use different passwords for their various accounts in order to limit the degree of damage that could potentially result if one of them is stolen.

This video is not supported by your browser at this time.

Explore further: Are you any good at creating passwords?

More information: www.emc.com/security/rsa-distributed-credential-protection.htm

Press release

Related Stories

Are you any good at creating passwords?

January 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Apple patent sends password secrets to adapters

January 6, 2012

(PhysOrg.com) -- First-time computer users in the early days, pre-hacking security traumas, were confronted with a new life requirement: creating and remembering system passwords. Not too easy, users were warned, to protect ...

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

Team creates functional ultrathin solar cells

August 27, 2015

(Phys.org)—A team of researchers with Johannes Kepler University Linz in Austria has developed an ultrathin solar cell for use in lightweight and flexible applications. In their paper published in the journal Nature Materials, ...

Magnetic fields provide a new way to communicate wirelessly

September 1, 2015

Electrical engineers at the University of California, San Diego demonstrated a new wireless communication technique that works by sending magnetic signals through the human body. The new technology could offer a lower power ...

Smart home heating and cooling

August 28, 2015

Smart temperature-control devices—such as thermostats that learn and adjust to pre-programmed temperatures—are poised to increase comfort and save energy in homes.

2 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet Oct 10, 2012
systems administrators could periodically refresh the random half of the strings, which would force those seeking entry to crack both servers within a shorter time frame.

A script that worked once will work again if they only refresh the content.
With this scheme, a hacker would be forced to access both servers in order to gain access to user passwords. And, this process could be further complicated if each server were to run a different operating system.

Many databases are compromised via SQL incection. If you use only SQL specific commands for your operations then having it run on different OS will not increase security.
Additionally spreading parts of the security strings around isn't helping: you now need redundant servers (as the MTBF of several locations is shorter than of one location). And compromising two servers instead of one vulnerable to the same script is not much extra bother (one extra keystroke)
IronhorseA
not rated yet Oct 10, 2012
In that case time to require use of some sort of authenticator code generator. But instead of the simple 10 digit ID and 6 digit code generated each time you press the button, instead a longer ID with use of ASCII code and the same for the generated code. It won't make it unbreakable, just easier for the hacker to call attention to them selves by tripping an alarm.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.