2

We have a website which stores hashed passwords in the database. During logins we hash the password entered by user and compare two hashes. This is quite standard so far. Our client which is in finance domain now wants us to implement a feature where we would ask users to enter few random characters from their password. This is similar what most banks do during a 3D secure payment (Enter 3rd, 5th and 8th digit of your password).

I understand that this would impossible on a password whose hashed version is already stored in the database. Or is it possible? Am I missing something obvious?

For new users, I am thinking I can hash every character separately and store the hashes. When user enters the random password characters then I can hash the entered characters and compare the hashes. But I am not sure if this would reduce the security.

Another option could be to create many combinations of 3 random characters from the user's password, hash the combinations a d store the hashes along with positions of the characters and made the combination. This might be silly but I am just stretching my imagination.

How is this done in reality?

Suhas
  • 121
  • 3
  • It's _extremely_ hard to argue about security when it's this stupid. Three digits is only 1000 possibilities - hardly secure for anything. – orlp Dec 19 '13 at 23:18
  • It is not three digits. It is random three characters from your password, which is usually 8 characters long. And a character in password can be any of 26 characters, uppercase, lowercase, special characters and numbers. So that makes it more than 1000 combinations. –  Dec 19 '13 at 23:22
  • 4
    This question appears to be better suited for Security.SE. – e-sushi Dec 20 '13 at 10:22
  • 1
    Hashing doesn't work here. So you're left with encryption, which can offer decent security when the key is stored in a HSM. – CodesInChaos Dec 20 '13 at 10:49
  • @e-sushi I was not aware of the other SO site. How can I move the question to other site? –  Dec 20 '13 at 12:23
  • as well as http://security.stackexchange.com/q/7467/2568 – dr jimbob Dec 20 '13 at 22:06
  • Storing the hash of each character would be close to storing the password in plain text, because each hash would be *extremely* easy to break. – Gras Double Oct 21 '17 at 18:06

0 Answers0