Distributed Credential Protection: Trying to beat the hackers and protect our passwords

Oct 10, 2012 by Bob Yirka report

(Phys.org)—Recent breaches at LinkedIn and Yahoo have heightened the public's concern about password protection. At LinkedIn, millions of user passwords were found and publicly posted. And at Yahoo, hackers broke into a server and stole passwords which were then used to breach other accounts with the same passwords in use. In response, computer security company RSA has developed a technique that it claims can prevent hackers from gaining access to user passwords on servers.

The idea is based on a technique called threshold cryptography, where data is taken apart, encrypted, and stored in separate pieces on different servers. Until now, the practice has primarily been restricted to use by sites that require very high security, such as those that deal with financial data. RSA is proposing a similar technique it calls Distributed Credential Protection (DCP) for use by commercial websites to protect user .

This video is not supported by your browser at this time.

With DCP, user passwords are split into two strings of data with each piece saved to a separate server. When a user into the system, the password is split into two separate strings, each of which is sent to one of the password servers. There, it is joined, in random fashion, with the half of the password stored on that server to build a new string. To verify the password, the two strings on each server are compared to one another. With this scheme, a hacker would be forced to access both servers in order to gain access to user passwords. And, this process could be further complicated if each server were to run a different . RSA says that to make things even more difficult for , systems administrators could periodically refresh the random half of the strings, which would force those seeking entry to crack both servers within a shorter time frame.

Using DCP would make stealing passwords from website servers significantly more difficult; however, it wouldn't prevent passwords from being stolen directly via on users' computers. To address that threat, RSA recommends that users use different passwords for their various accounts in order to limit the degree of damage that could potentially result if one of them is stolen.

This video is not supported by your browser at this time.


Explore further: Protecting infrastructure with smarter CPS

More information: www.emc.com/security/rsa-distr… ntial-protection.htm

Press release

Related Stories

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Apple patent sends password secrets to adapters

Jan 06, 2012

(PhysOrg.com) -- First-time computer users in the early days, pre-hacking security traumas, were confronted with a new life requirement: creating and remembering system passwords. Not too easy, users were ...

Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

Recommended for you

A Closer Look: Your (online) life after death

5 hours ago

Sure, you have a lot to do today—laundry, bills, dinner—but it's never too early to start planning for your digital afterlife, the fate of your numerous online accounts once you shed this mortal coil.

Web filter lifts block on gay sites

5 hours ago

A popular online safe-search filter is ending its practice of blocking links to mainstream gay and lesbian advocacy groups for users hoping to avoid obscene sites.

Protecting infrastructure with smarter CPS

12 hours ago

Security of IT networks is continually being improved to protect against malicious hackers. Yet when IT networks interface with infrastructures such as water and electric systems to provide monitoring and control capabilities, ...

Apple helps iTunes users delete free U2 album

Sep 15, 2014

Apple on Monday began helping people boot U2 off their iTunes accounts after a cacophony of complaints about not wanting the automatically downloaded free album by the Irish rock band.

Habitual Facebook users: Suckers for social media scams?

Sep 15, 2014

A new study finds that habitual use of Facebook makes individuals susceptible to social media phishing attacks by criminals, likely because they automatically respond to requests without considering how they are connected ...

YouTube to go offline in India on Android phones

Sep 15, 2014

YouTube users in India will soon be able to save videos from the Google-owned service, making it possible to watch them offline, and the feature will eventually be available globally, the company said Monday.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet Oct 10, 2012
systems administrators could periodically refresh the random half of the strings, which would force those seeking entry to crack both servers within a shorter time frame.

A script that worked once will work again if they only refresh the content.
With this scheme, a hacker would be forced to access both servers in order to gain access to user passwords. And, this process could be further complicated if each server were to run a different operating system.

Many databases are compromised via SQL incection. If you use only SQL specific commands for your operations then having it run on different OS will not increase security.
Additionally spreading parts of the security strings around isn't helping: you now need redundant servers (as the MTBF of several locations is shorter than of one location). And compromising two servers instead of one vulnerable to the same script is not much extra bother (one extra keystroke)
IronhorseA
not rated yet Oct 10, 2012
In that case time to require use of some sort of authenticator code generator. But instead of the simple 10 digit ID and 6 digit code generated each time you press the button, instead a longer ID with use of ASCII code and the same for the generated code. It won't make it unbreakable, just easier for the hacker to call attention to them selves by tripping an alarm.