Is it possible to safely check for certain characters in a password? - eviltoast

Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

  • Khan@feddit.nl
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    It’ll be less secure.

    If they hash a subset, then those extra characters are literally irrelevant, since the hash algorithm will exclude them. Like if they just hashed the first 5 characters, then “passw” is the same as “password” and all those permutations. Hashing is safe because it’s one-way, but simple testing on the hashing algorithm would reveal certain characters don’t matter.

    Protecting a smaller subset of characters in addition to the whole password is slightly better but still awful. Cracking the smaller subset will be significantly easier using rainbow tables, and literally gives a hint for the whole password, making a rainbow table attack significantly more efficient. Protecting the whole thing (with no easy hints) is way more secure.

    It also adds nothing to keylogging, since it’s not even a new code, it’s part of the password.

    There was a time where that level of security was acceptable, and it still could be ok on a closed system like an ATM, as the other reply to my comment pointed out, but this kind of protection on a standard computer is outdated and adds holes.

    • Primarily0617@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Less secure if you come at it from the perspective of cracking the password, but probably more secure in real-world terms.

      If you type in your bank password and somebody’s compromised your browser, they now have your entire password.

      If you type in the third, fourth and eighth digits and somebody’s compromised your browser, they still can’t access your account.

      Obviously full 2FA is probably better, but

      • A bank requiring a smartphone to bank with them is probably a no-go
      • A bank probably has to deal with some of the least technical users that are out there

      If it’s too hard for certain users to engage with the system correctly, they’ll try to sneak around it in ways that could compromise their security more than if the bank had just gone with the specific digits thing in the first place.