I've seen some websites, particularly banking sites, that ask you to enter this (for example). Sometimes they ask for this to prove my identity over the phone.
- The 2nd character of your password
- The 5th character of your password
- The 6th character of your password
To do this, a hashing algorithm won't work, would it? Surely something that should be as secure as a bank would have a way of storing the un-decryptable passwords?
preguntado el 08 de noviembre de 11 a las 10:11
Yes this can work without holding the plain text version of your password. Simply, when you originally set your password, the bank will hash the various combinations it will ever ask for, and store those hashes. This is very simple to implement, regardless of whether you have a fixed length password (i.e. a PIN number) or a variable length one. These hashes can be stored in a preset series of columns in the table related to the user, or as a simple 3 column table - ID (the primary key), UserId, Hash, and there is one row for each combination of n characters in your password.
I have doubts about the efficacy of this method over asking for the whole password though... maybe someone has a comment on that?
I would imagine they'd have some kind of private key system for decrypting (maybe even a private key per account, to improve security)...
It would be not too surprising, if (some) banks (or other big corporations) really stored plain-text passwords, or ROT13'd ones, or even double ROT13'd...
It's probably not a good item to discuss on an open forum, but what is to stop them from inserting your selected characters into a memory held, decrypted, copy of your memorable phrase or word at the appopriate locations, encrypting it and performing a binary comparison on the result?
They could just as easily keep a HASH of the soltero characters couldn't they?
You do NOT actually have to use a one-way HASH. You could just as easily use a two-way cypher, if you were certain that your key was secure. In this case they could easily keep the cypher on systems not accessible from the net.