Categories: SecurityWorkspace

RSA 2012: RSA Launches Protection Against “Smash And Grab” Password Theft

RSA has introduced technology designed to prevent password theft, following months of credential leaks from major tech firms, from LinkedIn to Yahoo, but one of the vendor’s former employees has already given it a dressing down, at the RSA 2012 conference in London.

The service scrambles login information, before splitting it across two different servers, thereby making it particularly tricky for hackers to pilfer passwords.

If a hacker gains entry into one of those servers, they will come up against heavy encryption, but even if they cracked that they could do little with it as the relevant data is split, RSA said. For a successful breach, a hacker would have to break into both servers, almost simultaneously, RSA said.

Password security in the cloud

Businesses can either choose to have both of those servers held in their environment, or one inside their own data centre and another in the cloud.

“RSA Distributed Credential Protection is the result of several years of incredible research and development innovation at RSA Labs,” said Dan Schiappa, senior vice president of identity and data protection, RSA.

“This technology offers a unique way to truly protect bulk data stores of passwords, secrets and other credentials from even highly sophisticated attacks.”

RSA may be pleased with itself for innovating, but in reality it is doing nothing new, according to Brian Spector, CEO of two factor authentication provider CertiVox (pictured).

“RSA seems simply to be doing what all legacy providers do – putting a Band-Aid on username/password bleeding and thus preventing users from making a break to something of much higher utility, like true two-factor authentication,” Spector, a former RSA employee, told TechWeekEurope at the RSA 2012 event.

“It still uses the existing username and password methodology, for example, and credentials are still stored, even if they are now split between different locations. Managing two different credential stores is, in itself, likely to create a significant management overhead and storing anything anywhere naturally increases its vulnerability.

“Nor is splitting credentials a new idea – at CertiVox, splitting the master keys has long been integrated into services like SkyPin and SkyKey. However, we use one secret key on the server, without having to split it across boundaries, thus avoiding the management overhead.

“There is no danger of the rest of the user population being compromised, even if the secret key on the server is compromised itself. The RSA approach fails signally on these key points of differentiation.”

How well do you know Internet security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago