RSA 2012: RSA Launches Protection Against “Smash And Grab” Password Theft

SQL username password - Shutterstock: © hauhu

RSA looks to innovate in password security, but gets put down by one of its former employees

RSA has introduced technology designed to prevent password theft, following months of credential leaks from major tech firms, from LinkedIn to Yahoo, but one of the vendor’s former employees has already given it a dressing down, at the RSA 2012 conference in London.

The service scrambles login information, before splitting it across two different servers, thereby making it particularly tricky for hackers to pilfer passwords.

If a hacker gains entry into one of those servers, they will come up against heavy encryption, but even if they cracked that they could do little with it as the relevant data is split, RSA said. For a successful breach, a hacker would have to break into both servers, almost simultaneously, RSA said.

Password security in the cloud

Businesses can either choose to have both of those servers held in their environment, or one inside their own data centre and another in the cloud.

“RSA Distributed Credential Protection is the result of several years of incredible research and development innovation at RSA Labs,” said Dan Schiappa, senior vice president of identity and data protection, RSA.

“This technology offers a unique way to truly protect bulk data stores of passwords, secrets and other credentials from even highly sophisticated attacks.”

RSA may be pleased with itself for innovating, but in reality it is doing nothing new, according to Brian Spector, CEO of two factor authentication provider CertiVox (pictured).

“RSA seems simply to be doing what all legacy providers do – putting a Band-Aid on username/password bleeding and thus preventing users from making a break to something of much higher utility, like true two-factor authentication,” Spector, a former RSA employee, told TechWeekEurope at the RSA 2012 event.

“It still uses the existing username and password methodology, for example, and credentials are still stored, even if they are now split between different locations. Managing two different credential stores is, in itself, likely to create a significant management overhead and storing anything anywhere naturally increases its vulnerability.

“Nor is splitting credentials a new idea – at CertiVox, splitting the master keys has long been integrated into services like SkyPin and SkyKey. However, we use one secret key on the server, without having to split it across boundaries, thus avoiding the management overhead.

“There is no danger of the rest of the user population being compromised, even if the secret key on the server is compromised itself. The RSA approach fails signally on these key points of differentiation.”

How well do you know Internet security? Try our quiz and find out!