Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.
I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)
Is there any secure way that this could be happening? Or are the companies storing my password in plain text?
The most secure way this could happen is them storing the specific character separately. It reduces security of your password if that plaintext character is compromised but you could still store the rest of the password securely.
You could even salt and hash the one character with a large salt to keep it behind a one-way function, and then the agent would need to enter it and confirm via the system, but that would reduce any downside of the one or two characters being compromised.
It’s weird either way though.
Something fun you can do is set your password to an eicar test string. That should break things of they are running any av and storing the password in clear text
Any password restriction that LOWERS entropy is a bad restriction.
No, I’m not answering the question, I know. But I’m answering the better question, which is “is this a stupid thing to ask of a password?”, and yes it is.
Full-stack dev here, not necessarily in answer to OP’s question, but in my experience it is a pretty standard practice that when you log in to a service, the web page sends your unhashed creds to the server, where your password is then hashed and compared to the stored hash. Via HTTPS/TLS/SSL, this is a reasonably secure practice since the creds are still encrypted while in transport. Hashing is a computationally expensive process that (before the advent of WASM) wasn’t really feasible to do on the client side.
Shamir’s secret sharing, which was new to me, still means the password must be unencrypted though!? Otherwise there’s no secret that can be shared. You can’t get individual characters of non-reversible-hashed passwords.
Reading the Wikipedia page about Shamir’s secret sharing I don’t see anything about sharing part of the secret data, only that the decryption key is split-shared.
So in this case the shared partial secret key would be a part of the secret. That seems like a bad idea, bad practice for security. But I see how it’d work.
