0

I just called my mobile phone provider and they asked me to verify myself by telling them my mobile phone number and the first three characters of the password of my online account.

Now I'm wondering if this is a secure way to verify users on the phone.

The first thing that came to my mind was that they need to verify these characters on the server side, which wouldn't work with hashed passwords afaik.

So either they store raw passwords (which I really hope they don't) or they also create a hash of the first three characters of the password and store that alongside the password hash.

I think it's clear that the first option isn't secure, but is the second? I'd say that it's defnately not secure when using non-salted hashes, but is it when using salted hashes?

Felix
  • 101
  • 1
  • What's the question? Most phone call centres have a phone pin which is different from the website password. The reason being is that the pin can be stored in clear text to allow matches like you say. If it is the same then yes this could be bad. Without knowing the implementation I cannot comment further - Maybe the password on the website is hashed but a clear text version is stored within the phone center application? Who knows... – ISMSDEV Jul 06 '17 at 15:27
  • Is your question, does hashing the first 3 chars of a password separately weaken the security of the hashed password? – schroeder Jul 06 '17 at 15:47

0 Answers0