RSA proposes ingenious security mechanism that would store passwords across multiple locations

In one of those, “duh, why didn’t I think of that” moments, the folks at RSA (the security division of EMC) have proposed a new method of securing user passwords obtained from database hacks – break the password into separate pieces and store them at separate locations. If the database were compromised and the password stolen, all the hacker would have would be half of the password hash (or less) which would make it impossible to combine with the other half of the password hash to restore the plaintext password. RSA further proposes that the password hashes be refreshed periodically, further tightening up the security of the password hashes.

The passwords could be stored at the same data center but in different databases or they could be stored on two different locations across the world from each other. It would also be possible to split the password between more than two locations, say a password split and stored on four different servers.

From the user’s perspective, nothing would change. They enter a password and log in. Behind the scenes, secured web services could serve up the password hashes while protocol on the server side combined the hashes or delivered them individually to the client for client-side manipulation.

Granted, we have not forgotten that RSA themselves were hacked in 2011…