Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

You are viewing a single thread.
View all comments View context
1 point
*

Unless they hash and store various combinations of characters in addition to, or instead of, the whole password. I haven’t heard of anyone doing this. If you were to pad them with a unique salt and a pepper before hashing each combination, you could end up with something more secure than just hashing the whole password Edit: I was wrong it seems; you’d still end up with something insecure. But hashing the whole password, if done properly, is already secure enough so this would seem like needless complication unless there’s some unusual concern about the password being intercepted in transit, and in that case you’d have other problems anyway.

I have heard of this thing of asking for selected characters of a static second authentication factor (e.g. a PIN), but not of a password itself. And now that we have proper 2FA systems I haven’t seen anything like that in a while.

permalink
report
parent
reply
2 points

It’ll be less secure.

If they hash a subset, then those extra characters are literally irrelevant, since the hash algorithm will exclude them. Like if they just hashed the first 5 characters, then “passw” is the same as “password” and all those permutations. Hashing is safe because it’s one-way, but simple testing on the hashing algorithm would reveal certain characters don’t matter.

Protecting a smaller subset of characters in addition to the whole password is slightly better but still awful. Cracking the smaller subset will be significantly easier using rainbow tables, and literally gives a hint for the whole password, making a rainbow table attack significantly more efficient. Protecting the whole thing (with no easy hints) is way more secure.

It also adds nothing to keylogging, since it’s not even a new code, it’s part of the password.

There was a time where that level of security was acceptable, and it still could be ok on a closed system like an ATM, as the other reply to my comment pointed out, but this kind of protection on a standard computer is outdated and adds holes.

permalink
report
parent
reply
1 point

Less secure if you come at it from the perspective of cracking the password, but probably more secure in real-world terms.

If you type in your bank password and somebody’s compromised your browser, they now have your entire password.

If you type in the third, fourth and eighth digits and somebody’s compromised your browser, they still can’t access your account.

Obviously full 2FA is probably better, but

  • A bank requiring a smartphone to bank with them is probably a no-go
  • A bank probably has to deal with some of the least technical users that are out there

If it’s too hard for certain users to engage with the system correctly, they’ll try to sneak around it in ways that could compromise their security more than if the bank had just gone with the specific digits thing in the first place.

permalink
report
parent
reply

No Stupid Questions

!nostupidquestions@lemmy.world

Create post

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others’ questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That’s it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it’s in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

Community stats

  • 9.6K

    Monthly active users

  • 3.3K

    Posts

  • 129K

    Comments