Monday, 11 February 2019

"Enter the first, fourth and fifth characters of your unique word"

Sometime when you login somewhere, you are asked to enter certain characters from your unique word, which is surprisingly difficult and often takes two or three attempts.

Some clever internet chaps have realised that this is waste of everybody's time and have set it up so that you have to enter the appropriate characters in the boxes and skip the asterisks. This makes it a lot easier because you can visualise your unique word as you type the characters in. Well done them!

* *□□*


Bayard said...

But, unless the box/asterisk combination is a random length longer than your unique word, it is a decrease in security to show how long that word is.

PJH said...

Two passwords (for that is exactly what this is, in an attempt to pretend to be 2-factor auth) is no more secure (in fact it's less secure) than one password. Especially when they do this sort of thing.

It was a nuisance 7 years ago when this was written.

For instance, it's well known (LOL) that you should never store passwords in-the-clear in the database - they must be stored with a one-way hash.

Now if you're also doing a *__*__***__* version, one of two things must be done:
1) That second password must be stored in the clear to determine what the three letters are or
2) You must one-way hash every combination of letters you'll be asking your customers for.

How long will it take to brute-force the series of three-letter-passwords from #2?

Rich Tee said...

I use Keepass which has a facility where you select the numbers they ask for and it enters the correct characters automatically.

Interesting point about clear text from PJH. The only site where I have to do this is a financial site!

Dinero said...

Why is part of the word rather than the whole word being asked for.
Giving part of password to a non trusted party makes the password exponentially less secure for each letter.