this post was submitted on 11 Jul 2023
83 points (100.0% liked)

No Stupid Questions

35931 readers
1534 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn't know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I've noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 18 points 1 year ago (2 children)

I have never heard of anything secure doing that. Assuming they have taken security steps, it would mean they recorded those characters in plaintext when you set your password, but that means that at least those characters aren't secure, and a breach means some hacker has a great hint.

When the hashing occurs, it happens using the code you downloaded when you visit the site, so it's your computer that does the hash, and then just the hash is sent onwards, so they can't just pull the letters out of a properly secure password.

A secure company would use two-factor authentication to verify you above and beyond your password, anyway, since a compromised password somewhere else automatically compromises questions about your password.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (2 children)

A lot of banks in the UK do it. They normally have a secondary pin that they will ask for 2 or 3 characters of.

This means that if you log in and get keylogged/shoulder surfed etc they don't get the full pin. The next time you login you will get asked for different characters.

Not great, but not awful either - going away now that 2fa is more common

[–] [email protected] 2 points 1 year ago

A secondary pin is a bit better but characters from the actual password (that you have to enter anyway) adds nothing to security from that kind of intrusion.

[–] lando55 0 points 1 year ago (1 children)

This means that if you log in and get keylogged/shoulder surfed etc they don't get the full pin. The next time you login you will get asked for different characters.

This seems somehow worse than simply requiring the same few characters each time, since they would either have to store the complete passwords in plaintext, or compute and store the hash for every permutation of 2-3 characters, which is wildly inefficient. You'd also be susceptible to leaking your password if for some reason you are under long term surveillance, since at some point you would presumably have provided all of the characters making up the password.

[–] [email protected] 2 points 1 year ago

It's normally an additional password/code, so it's probably stored in plaintext.

The random character selection is what makes it useful. Stops someone who just captured your details from logging straight in (probably).

2FA is superior in every way to it. Most have now switched to sending you a chip & pin card reader to generate OTPs.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Unless they hash and store various combinations of characters in addition to, or instead of, the whole password. I haven't heard of anyone doing this. If you were to pad them with a unique salt and a pepper before hashing each combination, ~~you could end up with something more secure than just hashing the whole password~~ Edit: I was wrong it seems; you'd still end up with something insecure. But hashing the whole password, if done properly, is already secure enough so this would seem like needless complication unless there's some unusual concern about the password being intercepted in transit, and in that case you'd have other problems anyway.

I have heard of this thing of asking for selected characters of a static second authentication factor (e.g. a PIN), but not of a password itself. And now that we have proper 2FA systems I haven't seen anything like that in a while.

[–] [email protected] 2 points 1 year ago (1 children)

It'll be less secure.

If they hash a subset, then those extra characters are literally irrelevant, since the hash algorithm will exclude them. Like if they just hashed the first 5 characters, then "passw" is the same as "password" and all those permutations. Hashing is safe because it's one-way, but simple testing on the hashing algorithm would reveal certain characters don't matter.

Protecting a smaller subset of characters in addition to the whole password is slightly better but still awful. Cracking the smaller subset will be significantly easier using rainbow tables, and literally gives a hint for the whole password, making a rainbow table attack significantly more efficient. Protecting the whole thing (with no easy hints) is way more secure.

It also adds nothing to keylogging, since it's not even a new code, it's part of the password.

There was a time where that level of security was acceptable, and it still could be ok on a closed system like an ATM, as the other reply to my comment pointed out, but this kind of protection on a standard computer is outdated and adds holes.

[–] [email protected] 1 points 1 year ago

Less secure if you come at it from the perspective of cracking the password, but probably more secure in real-world terms.

If you type in your bank password and somebody's compromised your browser, they now have your entire password.

If you type in the third, fourth and eighth digits and somebody's compromised your browser, they still can't access your account.

Obviously full 2FA is probably better, but

  • A bank requiring a smartphone to bank with them is probably a no-go
  • A bank probably has to deal with some of the least technical users that are out there

If it's too hard for certain users to engage with the system correctly, they'll try to sneak around it in ways that could compromise their security more than if the bank had just gone with the specific digits thing in the first place.