IBM researchers in Zurich hope they’ve found a way to solve one of the great vexing problems for CISOs: Making passwords more secure.

The answer, they said last week in a paper presented at a security conference in Denver, is to make they way passwords are stored better. Many organizations store them in a single server, which means if it’s compromised the passwords are at risk. Large enterprises can afford systems that split passwords up and store them across multiple servers — such as RSA’s Distributed Credential Protection, for example –but  they have a potential weakness: They need a quick way to allow a server (or servers) in the chain to refresh encryption keys so they can securely recover in case there’s a compromise. “Without a recovery mechanism,” the researchers note, “it’s only a matter of time until all servers have been hacked and the passwords are leaked.”

Note the word quick. IBM says the only current way to do this kind of recover is with a lot of compute power.

The researchers’ proposed solution is an efficient cryptographic protocol that distributes the capability to verify passwords over multiple servers.

“In spite of its simplicity, our scheme boasts security against dynamic and transient corruptions, meaning that servers can be corrupted at any time and can recover from corruption by going through a non-interactive key refresh procedure,” the authors say. “The users’ passwords remain secure against offline dictionary attacks as long as not all servers are corrupted within the same time period between refreshes.”

The implementation was tested on a commercial cloud infrastructure, with the prototype handling about 100 logins per second per server core. “At this cost, there’s almost no excuse for companies to lose any more user passwords as a result of a server breach,” say the authors.

That would include, I note, small and medium-sized firms, who could benefit from improved security.

When will we see this solution commercialized by a vendor or cloud provider (IBM is both, although their research is public)? No word yet.

  • Thanks for covering our project. The password technology is currently available for testing and the scientists are actively looking for beta clients. So if anyone is interested please email

  • Hitoshi Anatomi

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. 

    Biometrics are password-dependent. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on
    average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.