4

My bank uses this rather uncommon policy of authentication. They of course have a password, which has quite strong password patterns like "use alphanumeric characters and symbols, 8+ characters" are enforced.

And they have a secondary password, which must be exactly 8 alphanumeric characters. We are supposed to enter three randomly-selected characters from this secondary password when we log in. Here is the example:

enter image description here

Now I hope they are storing my secondary password as 8 hashes, hopefully each letter hashed with a different salt. Let's just assume that my speculation is true, and try to find how secure is this.

So my question is, does this kind of secondary password add any security? Or how much additional security will we have if we use a secondary password without randomizing the letters like this?

sampathsris
  • 805
  • 1
  • 6
  • 12
  • 5
    Even assuming they hashed each letter individually, it's really, really easy to just guess at all 26 possibilities if you have the hashes and salts. – Stephen Touset Sep 29 '14 at 06:24
  • 7
    Web banking systems and their ridiculous security theater... – Philipp Sep 29 '14 at 07:09
  • Wow. I can see a pattern here, where FI's have mickey mouse 2nd stage authentication. I know of another FI that does something almost as ridiculous as this. – Andrew Hoffman Sep 29 '14 at 15:57
  • possible duplicate of [How secure is asking for specific characters of passwords instead of the entire thing?](http://security.stackexchange.com/questions/7467/how-secure-is-asking-for-specific-characters-of-passwords-instead-of-the-entire) – D.W. Sep 29 '14 at 17:16
  • See also http://security.stackexchange.com/q/7467/971, http://security.stackexchange.com/q/38744/971, http://security.stackexchange.com/q/64589/971, http://security.stackexchange.com/q/4830/971, http://security.stackexchange.com/q/52972/971, http://security.stackexchange.com/q/10938/971, all of which concern this approach to authentication. Next time, I encourage you to spend some time using the "search" bar in the upper-right before asking. – D.W. Sep 29 '14 at 17:19
  • 2
    @D.W.: Thanks for the encouragement. I did spend time searching but instead of the "search" bar (in the upper-right corner), I used the suggestion facility in Ask question page (which has been far better than the search bar in other sx sites). I guess words "secondary" and "random" screwed the search for me. The other thing is, all the questions you linked are asking (probably) about using a random letter as the only authentication method. I am asking if using such method for _secondary_ authentication "adds" security. Maybe you don't see a difference in them. – sampathsris Sep 29 '14 at 17:28
  • Sorry to hear that search didn't turn this up for you. Perhaps I had an advantage because I knew this had been asked before, though [I do have high expectations for research effort](http://meta.stackoverflow.com/q/261592/781723). Anyway, it seems like the answers to those questions give us the main information needed to answer your question. You asked about the security benefit in using "passwords + mechanism X" instead of "just passwords". The questions I linked to tell you how to assess the security benefit and limitations of "mechanism X", which covers it pretty well. – D.W. Sep 29 '14 at 22:58
  • @Krumia: Why do you "_hope_ they are storing" your "secondary password as 8 hashes" rather than as 56 hashes? –  Sep 30 '14 at 01:00
  • @RickyDemer: Well, at least that's better than plaintext. :) – sampathsris Sep 30 '14 at 03:12

2 Answers2

5

Well, it certainly doesn't make it more insecure. You still have your primary password, which we'll just assume is stored correctly.

And in addition to this (I'm going to assume that you have to enter both, not one or the other; if that would be the case, this wouldn't be very secure, see the links @D.W. provided in the comments.), they have a secondary password. Let's assume it's stored in the worst way possible: plaintext(*).

so we don't care what happens in case an attacker steals the database (hashing of this additional password wouldn't add a lot of security for that anyways).

So my question is, does this kind of secondary password add any security?

This still adds security. The benefit of the randomization is that someone could intercept you logging in once, and still not be able to log in themselves without them taking further steps.

This isn't a whole lot of added security, but it is some and I think it makes sense as an defense in depth strategy.

Example of what this might protect against:

You are at a friends house (or you have visitors at your place, or your using your laptop in public for online banking [don't do this]) and have to send them some money. They look over your shoulder and see you entering your password(s). Without the randomization, they can log in themselves and see how much money you have, what you spend it on, etc. And if you forget your cell phone and are using mTAN they can steal from you.

With the randomized second password, they would have to brute force (either the online login or the hash if they managed to break into the bank(*)), or look at you entering the password a whole bunch of times.

There are 8 over 3 = 56 possible combinations of characters to enter (assuming you always have to enter 3 characters), so refreshing until they get asked the exact same characters might be annoying (or might get them blocked).

Maybe they are not quite sure about your primary password and are hoping to just try a couple of variations, which would be a lot more difficult with the randomized secondary password.

So yes, I think there are real-world scenarios which this kind of randomized password protects against, especially against technically less experienced attackers.

(*) Breaking into the bank seems to me like a far less likely attack vector than someone intercepting the password.

Or how much additional security will we have if we use a secondary password without randomizing the letters like this?

You mean just having two "normal" passwords? Assuming it doesn't tell you which password was wrong, it's the same as requiring 16+ characters for a single password for online bruteforce attacks. If they do tell you which one was wrong or if you managed to get the hashes, well then it would add the security an 8 char alphanum password gives you.

This of course doesn't defend against the scenario described above.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Good answer. And your assumptions are correct. 1. We have to enter both passwords 2. In the second scenario, I was talking about having two "normal" passwords. – sampathsris Sep 29 '14 at 13:34
  • 1
    +1 for considering real-world scenarios and that not every hacker is high tech *cough* http://xkcd.com/538/ *cough* – Tim S. Sep 29 '14 at 16:25
4

The way I see it, even if it's random, it's just eight very, very, very low entropy passwords (1 character). Which will be super easy to break by brute force (as usual, we have to assume that attacker has the salts). Randomization of the challenge will be useless if the attacker knows the secondary password.

But I think this will have additional security if the random letters are combined with the primary password. For example, if the passwords are initially hashed this way:

hash_1 = hash(primaryPassword + letter_1_of_secondary + random_salt_1)
hash_2 = hash(primaryPassword + letter_2_of_secondary + random_salt_2)
// ... and so on.

Now this is essentially equivalent to having eight passwords for the same account, and having to provide three random passwords out of eight for authentication. An attacker will have to crack at least three passwords, and attempt to login until system prompts for the three exact passwords, and hope the system would not lock the account because of multiple attempts.

As Chris Murray has pointed out in the comments, this is not much better than having a single password. Because if an attacker breaks a single password, all other passwords can be easily cracked because they share the same secret.

Community
  • 1
sampathsris
  • 805
  • 1
  • 6
  • 12
  • 1
    I think you're right, and including the primary password would make this secure in that it wouldn't leak any extra information about the password. But I think you're wrong that the attacker has to break at least three hashes. If he breaks the primary password hash (or gets it by some other means) then all 8 passwords are compromised as they all rely on the same secret. – Chris Murray Sep 29 '14 at 11:02