Researchers find a way to improve password protection

IBM researchers in Zurich hope they’ve found a way to solve one of the great vexing problems for CISOs: Making passwords more secure.

The answer, they said last week in a paper presented at a security conference in Denver, is to make they way passwords are stored better. Many organizations store them in a single server, which means if it’s compromised the passwords are at risk. Large enterprises can afford systems that split passwords up and store them across multiple servers — such as RSA’s Distributed Credential Protection, for example –but  they have a potential weakness: They need a quick way to allow a server (or servers) in the chain to refresh encryption keys so they can securely recover in case there’s a compromise. “Without a recovery mechanism,” the researchers note, “it’s only a matter of time until all servers have been hacked and the passwords are leaked.”

Note the word quick. IBM says the only current way to do this kind of recover is with a lot of compute power.

The researchers’ proposed solution is an efficient cryptographic protocol that distributes the capability to verify passwords over multiple servers.

“In spite of its simplicity, our scheme boasts security against dynamic and transient corruptions, meaning that servers can be corrupted at any time and can recover from corruption by going through a non-interactive key refresh procedure,” the authors say. “The users’ passwords remain secure against offline dictionary attacks as long as not all servers are corrupted within the same time period between refreshes.”

The implementation was tested on a commercial cloud infrastructure, with the prototype handling about 100 logins per second per server core. “At this cost, there’s almost no excuse for companies to lose any more user passwords as a result of a server breach,” say the authors.

That would include, I note, small and medium-sized firms, who could benefit from improved security.

When will we see this solution commercialized by a vendor or cloud provider (IBM is both, although their research is public)? No word yet.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web