Is it possible to safely check for certain characters in a password?

pandarisu@lemmy.world to No Stupid Questions@lemmy.world – 83 points –

Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn't know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I've noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

94

You are viewing a single comment

I have never heard of anything secure doing that. Assuming they have taken security steps, it would mean they recorded those characters in plaintext when you set your password, but that means that at least those characters aren't secure, and a breach means some hacker has a great hint.

When the hashing occurs, it happens using the code you downloaded when you visit the site, so it's your computer that does the hash, and then just the hash is sent onwards, so they can't just pull the letters out of a properly secure password.

A secure company would use two-factor authentication to verify you above and beyond your password, anyway, since a compromised password somewhere else automatically compromises questions about your password.

A lot of banks in the UK do it. They normally have a secondary pin that they will ask for 2 or 3 characters of.

This means that if you log in and get keylogged/shoulder surfed etc they don't get the full pin. The next time you login you will get asked for different characters.

Not great, but not awful either - going away now that 2fa is more common

A secondary pin is a bit better but characters from the actual password (that you have to enter anyway) adds nothing to security from that kind of intrusion.

This means that if you log in and get keylogged/shoulder surfed etc they don't get the full pin. The next time you login you will get asked for different characters.

This seems somehow worse than simply requiring the same few characters each time, since they would either have to store the complete passwords in plaintext, or compute and store the hash for every permutation of 2-3 characters, which is wildly inefficient. You'd also be susceptible to leaking your password if for some reason you are under long term surveillance, since at some point you would presumably have provided all of the characters making up the password.

It's normally an additional password/code, so it's probably stored in plaintext.

The random character selection is what makes it useful. Stops someone who just captured your details from logging straight in (probably).

2FA is superior in every way to it. Most have now switched to sending you a chip & pin card reader to generate OTPs.

Unless they hash and store various combinations of characters in addition to, or instead of, the whole password. I haven't heard of anyone doing this. If you were to pad them with a unique salt and a pepper before hashing each combination, you could end up with something more secure than just hashing the whole password Edit: I was wrong it seems; you'd still end up with something insecure. But hashing the whole password, if done properly, is already secure enough so this would seem like needless complication unless there's some unusual concern about the password being intercepted in transit, and in that case you'd have other problems anyway.

I have heard of this thing of asking for selected characters of a static second authentication factor (e.g. a PIN), but not of a password itself. And now that we have proper 2FA systems I haven't seen anything like that in a while.

It'll be less secure.

If they hash a subset, then those extra characters are literally irrelevant, since the hash algorithm will exclude them. Like if they just hashed the first 5 characters, then "passw" is the same as "password" and all those permutations. Hashing is safe because it's one-way, but simple testing on the hashing algorithm would reveal certain characters don't matter.

Protecting a smaller subset of characters in addition to the whole password is slightly better but still awful. Cracking the smaller subset will be significantly easier using rainbow tables, and literally gives a hint for the whole password, making a rainbow table attack significantly more efficient. Protecting the whole thing (with no easy hints) is way more secure.

It also adds nothing to keylogging, since it's not even a new code, it's part of the password.

There was a time where that level of security was acceptable, and it still could be ok on a closed system like an ATM, as the other reply to my comment pointed out, but this kind of protection on a standard computer is outdated and adds holes.

Less secure if you come at it from the perspective of cracking the password, but probably more secure in real-world terms.

If you type in your bank password and somebody's compromised your browser, they now have your entire password.

If you type in the third, fourth and eighth digits and somebody's compromised your browser, they still can't access your account.

Obviously full 2FA is probably better, but

  • A bank requiring a smartphone to bank with them is probably a no-go
  • A bank probably has to deal with some of the least technical users that are out there

If it's too hard for certain users to engage with the system correctly, they'll try to sneak around it in ways that could compromise their security more than if the bank had just gone with the specific digits thing in the first place.