¿Los bancos almacenan las contraseñas como texto sin formato? [cerrado]

I've seen some websites, particularly banking sites, that ask you to enter this (for example). Sometimes they ask for this to prove my identity over the phone.

  • The 2nd character of your password
  • The 5th character of your password
  • The 6th character of your password

To do this, a hashing algorithm won't work, would it? Surely something that should be as secure as a bank would have a way of storing the un-decryptable passwords?

preguntado el 08 de noviembre de 11 a las 10:11

If you really want to know, why not ask the bank. -

It's not a bad idea, but I think I'll probably be passed around on hold for at least 2 hours before I reach someone who even knows someone who might know how the database is set up. Particularly as I'm not concerned about it, just interested ;D -

5 Respuestas

Yes this can work without holding the plain text version of your password. Simply, when you originally set your password, the bank will hash the various combinations it will ever ask for, and store those hashes. This is very simple to implement, regardless of whether you have a fixed length password (i.e. a PIN number) or a variable length one. These hashes can be stored in a preset series of columns in the table related to the user, or as a simple 3 column table - ID (the primary key), UserId, Hash, and there is one row for each combination of n characters in your password.

I have doubts about the efficacy of this method over asking for the whole password though... maybe someone has a comment on that?

respondido 08 nov., 11:14

Wouldn't this allow much easier bruteforcing of the individual hashes, if the attacker knows that the bank always asks 5 characters from a password? - Richlv

I would imagine they'd have some kind of private key system for decrypting (maybe even a private key per account, to improve security)...

respondido 08 nov., 11:14

It would be not too surprising, if (some) banks (or other big corporations) really stored plain-text passwords, or ROT13'd ones, or even double ROT13'd...

respondido 08 nov., 11:14

It's probably not a good item to discuss on an open forum, but what is to stop them from inserting your selected characters into a memory held, decrypted, copy of your memorable phrase or word at the appopriate locations, encrypting it and performing a binary comparison on the result?

respondido 08 nov., 11:14

They could just as easily keep a HASH of the soltero characters couldn't they?

You do NOT actually have to use a one-way HASH. You could just as easily use a two-way cypher, if you were certain that your key was secure. In this case they could easily keep the cypher on systems not accessible from the net.

respondido 08 nov., 11:14

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.