Hacker News new | past | comments | ask | show | jobs | submit login

> three letters from one's password to log in

Could you explain how this works? I've never ran into this and I'm curious as to what it solves / they claim it solves.




I never used them, but my guess they try to make one time passwords from your passwords.

They probably ask to enter e.g. 3rd, 6th and 8th letter of the password. Supposedly if someone logs it it supposedly won't be as useful, because next time it will ask for different letters.

Not sure why won't they use rsa keys or similar technology. Also if it is the way I think it is, then you know that your passwords aren't hashed on their servers.


then you know that your passwords aren't hashed on their servers

This is the immediate alarm that went off in my head reading about this. I've never seen this before either and it sounds like an idea from someone who means well but doesn't understand what they are doing.


They could hash each combination. Probably reduces security, but not a dead giveaway.


It would effectively be a dead giveaway. Exhaustively searching all combinations of three characters takes trivial time even in an excruciatingly slow hash.


but it prevents MitM spying.


Hashing passwords is not done to prevent MitM, it's done to prevent/delay password disclosure if the database is hacked.


Entering partial passwords prevents MITM. OP was just explaining how partials could be implemented securely by hashing each combination; he wasn't saying hashing prevented MITM.


So does TLS, without the ridiculous downsides.


Yep, I think this is what happens.


> Also if it is the way I think it is, then you know that your passwords aren't hashed on their servers.

Only if the developers are extremely lazy. A proper implementation would precompute a series of hashes for different subsets of the password and store them in the database instead. Similar to how Facebook stores both the password and its reversed-case form as a convenience feature for people who forget to turn their CAPS LOCK off.


But how many subsets would you do? With enough of them (and particularly relative to password length) this would leak a lot about your password. For say an 8 character password, do these things ask you to enter more than 4 characters?


On my >10 character passwords (I generally don't use shorter passwords with banking sites, so I don't know how the system behaves for short passwords) they ask for ~11 characters. Of course the login box can, and often ends up, being longer than your actual password, so it doesn't visually reveal the actual character count of your password. In my case they usually end up asking for ~5-7 "real" characters.

I presume a good implementation hashes and salts each "sub-password" separately. Since it's the server that decides which subset it wants, I don't think it reduces the search space, unless the hashing/salting algorithm is vulnerable to differential cryptanalysis (which it may be, I don't know this aspect of state-of-the-art hashing functions).


It's a huge detriment to security. You can break sets of 5-7 characters at a time and combine them instead of having to break the entire password at once.


Seems like a tradeoff. What's more likely - that a bank loses its password database, or that some customers find themselves infected with keyloggers?

Also in any bank that's even remotely sane this is just one leg of a 2FA; often a kind of a "delayed" 2FA - where one factor is enough to get you mostly "read-only" access, and any important changes or wiring actual money requires one-time SMS codes.


Any bank that's remotely sane with regards to website security (probably rather few of them) doesn't do this at all and uses standard forms of 2FA. This one doesn't even protect against keyloggers, because they can combine the characters from multiple logins to get the full password (guessing the remaining ones if necessary) and because the password might be reused somewhere else, and they try this at the expense of user convenience (counting characters is annoying) and security in the event of a leak involving password hashes (if they hashed them at all).


In today's environment? Probably the bank losing its password database.


I understand what you are saying, but I suspect that fb doesn't store multiple hashes but just recomputes the hash entered a couple of times on failure.


Yes, that's how they handle it.

I agree that they probably haven't hashed the password. Any time that I complain about this sort of thing the company agent usually doesn't know what I'm talking about.


I think GP is referring to the practice of asking you to type some amount of random characters from your password. It seems to be popular with banks nowadays. The field looks like this:

    [ ][X][X][ ][X][X][ ][X][ ][X][X][ ][ ][X][ ]
(you enter characters in the blanks)

The idea is supposedly to protect people from keyloggers. But the side effect is that more sophisticated passwords get excruciatingly annoying to type in.


Doesn't this also imply that the bank is storing plaintext passwords instead of salted hashes? I'm pretty sure I would not use such a bank.

Edit: Just saw that others have already brought this up below. Sorry for the redundancy.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: