Split Passwords Enhance Website Security

A security company has come up with a way to reduce the effectiveness of website hacking. The plan is to split customer passwords and store them in two or more separate locations.

The idea for split passwords comes from security firm RSA, which says the new technique aims to frustrate hackers who breach website security in order to acquire user names and passwords.

Sometimes that data are stored without any encryption. Even when they are encrypted, hackers are often able to break the encryption, given enough time.

Such breaches of security can be particularly dangerous if any of the site's members use the same log-in details to access other sites.

Password Split Like Lovers' Locket

The new RSA solution to this danger, known as distributed credential protection, is remarkably simple in concept. It splits each user's ID and associated password details into two or more pieces, stored on different servers.

The separate parts are reassembled whenever the user logs in to their account. (Source: rsa.com)

With this system in operation, anyone who breaches a server's security can obtain access only to part of each person's password.

For added security, the system can split a password at a random point rather than in the middle. If one server is compromised, the website owners can easily set the passwords to be split again at new, random points.

Human Weakness Still A Risk

There remain a few limitations to the system, however.

The most obvious is that it only defeats website hacks, rather than cases where hackers obtain an individual's security details (through spyware on a customer's computer or simply by tricking users into handing over a password). (Source: bbc.co.uk)

Another shortcoming is that the "split location system" assumes hackers don't breach both servers. If the tactic that allows a hacker to get into one server works just as well on the other, because they share a common vulnerability, the splitting system offers no additional protection.

The split password technique also increases security maintenance and supervision burdens. With two or more servers needed to validate a user's password, having any one of them offline makes the password-protected part of the site unreachable.