3

I see that the new login mechanism used by some banks in UK and also used by visa debit authentication is to ask for three random characters from your password at login (for example second, ninth and forth) but this surely mean that the password is not hashed, right? Maybe encrypted at best... This is very bad, right? Or is there a way to hash a password and still calculate these characters? I cannot think of anything...

spauny
  • 153
  • 1
  • 7

2 Answers2

4

This stems from the times people would still use phone banking and an operator was required to ask a password. To prevent the operator from knowing the complete password, he would only receive three characters of the password and their positions.

It's actually not necessarily a bad thing if implemented correctly. You are correct stating that the password is not hashed. This scheme is called a masked or partial password. Some banks use this and the idea behind it is that in the event a client has a keylogger installed on his system, you will never get the complete password. It prevents the user also from storing it in an autocomplete or autofill tool.

Most implementations actually relay the passwords to another service running in the backend (meaning you don't talk directly to the database but to a seperate webservice).

Personally I'm not a fan of these schemes if they are not implemented together with a second factor of authentication. They completely fail at addressing most other malware than keyloggers as well as most social engineering attacks.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Yeah, I don't think I'm a very big fan especially because if you do have a keylogger in you pc, from what I experienced, there is a big chance that after three user logins the hacker has the necessary data for the forth one... – spauny Mar 08 '14 at 22:26
1

From what I've seen, they usually ask for your username (or account ID) and password, then three characters from a second passphrase. This helps prevent a vast majority of non-targeted keyloggers and form-grabbers, as capturing one login will likely not get you enough information to log in a second time.

In terms of the security, there are a few ways this can work. The most secure common method is a Hardware Security Module (HSM), which is essentially a black-box device that allows limited operations to be performed on data within it, with both software and hardware security measures. The idea is that you can tell the HSM to set the user's passphrase, or verify three characters of it, but you can't ask it to tell you the whole passphrase.

Another option is to encrypt the passwords in a database which is accessible via an internal web service that emulates the write/verify functionality of the HSM. It's less secure, but has improved cost options, and can be more flexible if the bank has an internal development team.

Polynomial
  • 132,208
  • 43
  • 298
  • 379