Ask HN: Is this bad security? "Enter the second and fifth password characters"
When I log into my bank, it doesn't ask for my full password - instead, it asks for two randomly chosen characters from the password. I guess the idea is to make it more difficult for a keylogger to determine the password. But doesn't it mean that my password must be stored in plain text on the server? Isn't that far worse for security than having the user provide the full password?
Edit: Actually the bank requires more than just two characters. Here's their login screen: http://imgur.com/ngRcB The bank is NatWest in the UK. And yes, it's over HTTPS.
27 comments
[ 1.9 ms ] story [ 61.4 ms ] threadI seriously doubt they do this, storing a hash for every single character would eat up a lot of space very quickly. My guess is that they store your password in plain-text. What bank is this btw?
Do they use HTTPS?
The technique could be OK if this is a "second" password (you have already supplied one password and this is a second check) as it would then make it difficult for automated scripts trying to hack the site without compromising your primary authentication.
You would expose the password for the most important site though.
http://i.imgur.com/8ZwS0.png
I've seen UI's where the keyboard/number pad has the location of the characters randomized, which looked like a good way of solving that problem.
From a UI perspective though it's pretty annoying having to enter 3 random characters of a (complex) password, although it's something you get used to.
If possible, two factor authentication is preferable (whether via hardware dongle or smartphone app, a la' blizzard's authenticator), but that adds a ton of overhead.
You could even have an app that takes the users location from their smartphone and does a loose check on geographic location of the IP being used. The bank end gets the GPS+IMEI or whatever, produces the one-time code and texts it to the user. The user then enters the one-time code and their password on the login screen - perhaps it's used locally to encrypt the password (to combat MITM) before sending over the https connection.
For those without smartphones then charge for a dongle or have a phone based system that you can telephone (enter your postcode and get back the one-time code).
?
Yes, it also means they're storing your full password in some sort of reversible format. We can't be sure it's plaintext, but given their roll-your-own approach to security that's probably the case. I understand that they're trying to cut back on the damage a keylogger can do and I commend them for that, but they've lowered the overall security of the site in attempt to increase the security in a corner case. More to the point, if a keylogger is installed, the whole system is compromised which means they'll eventually get the entire password even if it's only a couple of letters at a time.
The only effective solution to this problem is real two-factor authentication. Not this password plus "is this your image?" or "security question" crap that a lot of banks employ: that's two-step, one-factor authentication (both are things you know), but a real second factor based on something you have (RSA token, etc.) or something you are (eg. biometrics, which is obviously impractical on the web)