4

My background is in web apps, so when storing a user's password we use a cryptographic hash and salt it so that it is not recoverable.

My basic understanding of what is happening is that to check if a password is correct, we perform the same hashing on the inputted password and check if the hashes are identical. At no point are the plain text passwords checked against each other, it simply isn't possible (and nor should it be!)

At no point would it be possible to ask a user to "enter characters 2, 3 and 9" from your password as the hashing algorithms users don't allow us to match substrings from the password. In fact, we couldn't even calculate the length of the password so asking for the 10th letter of a password might confuse the user since the password might only be 8 characters long.

Every online UK bank I've ever used (except Monzo) asks me for 3 characters from a password when I login.

My question is: How is this possible? Presumably it's one of two things:

  1. The bank stores the password in plain text, thus allowing the bank to ascertain both the length of the password and any substrings making this a trivial string comparison.
  2. They're using a hashing algorithm that I'm unaware of and would love to know more about.

I fear it's the former, but would love to know more if it's the latter.

Max Woolf
  • 261
  • 2
  • 5
  • 1
    This seems relevant: http://stackoverflow.com/questions/10768319/best-way-to-implement-partial-key-hashing – Piskvor left the building Jan 03 '17 at 14:17
  • I too fear it sounds like they use the first approach (i.e. reversible, perhaps encrypted storage). Even if they hashed and stored every character of the password separately, or used a rolling hash, it would not provide much security. Perhaps you should see this: http://security.stackexchange.com/questions/7467/how-secure-is-asking-for-specific-characters-of-passwords-instead-of-the-entire ... I'd hope there are some letters that are "off-limit" so that the entire password is never revealed, even in a breach, although this isn't a great improvement on their level of security. – Jedi Jan 03 '17 at 14:35

0 Answers0