Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Some financial websites that I use use passwords in a peculiar way. Instead of a

ID: 660284 • Letter: S

Question

Some financial websites that I use use passwords in a peculiar way. Instead of asking me the whole password string, they only ask me to enter e.g. "3rd, 5th and 8th character of your password", i.e. a random permutation of the password string.

I think this would make sense if it's done using a shared random number table etc. But this is a password. In order to do this, they'd have to either store my password without hashing, or store the hashes for all the combinations they want to ask, which also sound bad. Am I right to think that this is a fairy bad security practice?

Explanation / Answer

This is very bad practice. Passwords today MUST be hashed to cover the possible loss of the password database. The fact that individual elements of the password can be used for authentication means that a reversible encryption is being used instead of hashing, as TP already indicated. This is bad because if both the database AND the encryption key is stolen, then ALL the passwords are lost. Hashing (with strong passwords) makes this impossible. At least the folks that USE strong passwords are safe if the passwords are hashed.

I believe that the reason that some institutions encrypt instead of hash is that the full password may be needed in the backend for some purpose, such as further authentication. Some sites use the last 4 digits of the password as a "security question" when the help desk is contacted. But this is a horrible reason, and is probably done since the security question approach that most reputable sites use has not yet been implemented.

I have even seen the actual password show up in my email when I have had to request a reset - it is more complicated to implement a password reset via email then request a new password, than just emailing the password! The bottom line is that it is easier to just keep the password encrypted (or even in the clear) and use it for other purposes than to just implement a password reset mechanism to prompt for a new password.

Another reason this is bad is that most folks that care about passwords today just use a password manager. Requiring individual elements of a strong password is error prone and much more difficult that just using a secure password manager.

Finally, in cases where weak passwords are commonly used, encryption with as strong key can be safer than hashing, since weak password hashes can quickly be cracked today. But in this case, hashing AND encrypting is preferred, not just encrypting.

Related Questions

Some database and spreadsheet packages can save-files with comma-separated value
Question #3851759
Some days ago I got the following code from Norman David Jones: Alt-F11 to open
Question #3563344
Some days ago I noticed that YouTube knows the videos I watched even though I de
Question #659961
Some days the parking garage on campus is full, often due to sporting events. Th
Question #3390770
Some detailed information on how to solve this would be super helpfull, thanks.
Question #3879632
Some developing nations want to \"catch up\" with the West in terms of economic
Question #3466533
Some diabetics must take insulin via injections. If a diabetic does not take eno
Question #1066666
Some digital system questions. Please help. NAND gates must be used to produce a
Question #1813120
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Some financial instruments can have both debt and equity features. The most comm
Next
Some five courses are offered on campus in a semester. The group of students who

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.