Is it possible to safely check for certain characters in a password? - eviltoast

Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

  • Primarily0617@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Less secure if you come at it from the perspective of cracking the password, but probably more secure in real-world terms.

    If you type in your bank password and somebody’s compromised your browser, they now have your entire password.

    If you type in the third, fourth and eighth digits and somebody’s compromised your browser, they still can’t access your account.

    Obviously full 2FA is probably better, but

    • A bank requiring a smartphone to bank with them is probably a no-go
    • A bank probably has to deal with some of the least technical users that are out there

    If it’s too hard for certain users to engage with the system correctly, they’ll try to sneak around it in ways that could compromise their security more than if the bank had just gone with the specific digits thing in the first place.