Split passwords proposed as way of evading hack attacks

The Right Click

With a run of password leaks in the last year, like the breaches at LinkedIn and Sony, it's likely people have grown quite concerned about the security of their passwords online. One company thinks that it's found a way to further deter hackers, and keep our passwords a little safer.

Security firm RSA proposes that if passwords are scrambled, split in two, and stored on different computer servers, hackers would have a harder time getting the full password, and would therefore not be able to break into your account.

According to the BBC, the hacker would need to break into both related servers, then link up the two randomized parts of the password, which theoretically would serve as a major deterrent.

[ Related: Apple suspends phone-based password reset following hack of 'Wired' writer ]

RSA would store the two portions of the password on servers at its distributed credential protection (DCP) facility.

"DCP scrambles, randomized and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations," said Liz Robinson, RSA's marketing manager Liz Robinson at the company's annual European Conference.

"This is especially important in today's landscape as we've seen over 50 million passwords stolen in large data breaches in 2012 alone."

While this would prevent hackers from breaking into servers and stealing passwords, one expert in the field thinks this would only prevent a small number of the password-theft situations that occur online.

"The original problem was that businesses were storing passwords in plain text," said Professor Alan Woodward, cybersecurity researcher, to the BBC. "Firms dealt with that by using encryption, but some attacks are getting very sophisticated and have found ways to crack some of the other encryption techniques."

"RSA basically prevents this, but something like 80% of successful attacks result from phishing emails. So while RSA will stop smash and grab attacks on firms' servers, the most successful kind of attack will likely remain people giving their passwords away."

Companies that wish to use the service will have to pay $150,000 USD for a license.