RSA splits passwords in two to foil hackers' attacks

  • Published
Password graphic
Image caption,
RSA says users should not notice that their log-in details are being stored in different servers

A product that scrambles and then splits users' passwords in two before storing them on different computer servers has been unveiled by RSA.

The security firm says the facility offers better protection against hackers, who would only gain access to half a "randomised" password in the case of a successful attack.

The firm said the idea had been discussed by academics for some time.

However, one expert said it would only prevent a minority of attacks.

RSA's distributed credential protection (DCP) facility was announced at the company's annual European Conference in London.

"DCP scrambles, randomises and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations," said the firm's marketing mamanger Liz Robinson.

"This is especially important in today's landscape as we've seen over 50 million passwords stolen in large data breaches in 2012 alone."

LinkedIn's leak of 6.5 million passwords, Yahoo's loss of more than 450,000 usernames and codes, and dating site eHarmony's exposure of 1.5 million passwords are among this year's highest profile cases.

In the case of LinkedIn and eHarmony, the breaches involved encrypted passwords - meaning that the hackers would have needed to decode their haul before being able to make use of it.

RSA aims to offer an extra level of protection by allowing its customers to re-randomise and re-split log-in data if they suspect a breach.

So, unless hackers manage to break into both associated servers before this step is taken, they would be unable to marry up and unscramble stolen information.

All of this would be behind the scenes, and a user logging into a site would still only have to type a single username and password into the appropriate interface.

'Smash and grab'

Prof Alan Woodward - a cybersecurity researcher who advises the UK government - said the idea had merit, but would only prevent a limited number of attacks.

"The original problem was that businesses were storing passwords in plain text," he told the BBC.

"Firms dealt with that by using encryption, but some attacks are getting very sophisticated and have found ways to crack some of the older encryption techniques.

"RSA basically prevents this, but something like 80% of successful attacks result from phishing emails. So while RSA will stop smash and grab attacks on firms' servers, the most successful kind of attack will likely remain people giving their passwords away."

Image caption,
RSA's SecurID tokens were compromised in an attack last year

RSA said DCP would be made available before the end of the year.

It is set to cost about $150,000 (£93,725) per licence. RSA said that could be less than the cost of "an expensive lawsuit", but it will put the product beyond the budget of many organisations.

RSA has itself been the victim of a hack attack. In 2011 the firm replaced millions of SecurID tokens after its own IT infrastructure was attacked. The devices offer a code that changes several times a minute, which must be used in addition to a password, offering an extra level of protection

RSA said the attack led to the loss of information about its authentication process, which was linked to a subsequent attack on one of its customers, defence firm Lockheed Martin.

Related Internet Links

The BBC is not responsible for the content of external sites.