• (cs)

    TRWTF is the stupid characters in the password. If someone is watching over my shoulder, they can pick up three letters a lot more easily than they can the whole password. Especially since most people type their password in about a second, and they are probably going to have to stop and think about the individual characters. With any kind of automated tool like a keylogger or packetsniffer, it ain't gonna make a difference. Plus, you either have to ask for the same three letters all the time or store the whole password in plain-text.

    I can't think of a single advantage of the enter the Nth character from your password, or than it "feels" more secure to anyone who knows nothing about security.

  • (cs) in reply to Voodoo Coder
    Voodoo Coder:
    Not a resident of Giggleswick:
    Have you ever actually looked at English place names? "Piggly Wiggly" would be mildly pedestrian.

    Check http://www.englishplacenames.co.uk/.

    Hence my comment. You should read it sometime.

    (You are aware that Piggly Wiggly was (no longer operating I believe) a US supermarket chain, correct? From your response, you seem to have completely missed what I was saying...by a lot)

    Apparently Still Active

    Edit: Beaten to it again sigh

  • (cs) in reply to RobFreundlich
    RobFreundlich:
    Please, please, please tell me that the database has a one-way hash of the password, plus the length in a separate field, rather than the actual plaintext password.

    I seriously doubt it - they couldn't ask for partial passwords if they did.

    However, I think your password is probably one of the least important parts of information that your bank is holding about you, and doing one way hashes on your bank account balance might lead to a few difficulties...

  • More (unregistered) in reply to campkev
    campkev:
    TRWTF is the stupid characters in the password. If someone is watching over my shoulder, they can pick up three letters a lot more easily than they can the whole password. Especially since most people type their password in about a second, and they are probably going to have to stop and think about the individual characters. With any kind of automated tool like a keylogger or packetsniffer, it ain't gonna make a difference. Plus, you either have to ask for the same three letters all the time or store the whole password in plain-text.

    I can't think of a single advantage of the enter the Nth character from your password, or than it "feels" more secure to anyone who knows nothing about security.

    Please tell me you are not serious.

    I'll repeat what Mr. B said (slightly modified): I see your "look over the shoulder attack" and raise you a keylogger.

  • (cs) in reply to JC
    JC:
    Quote: "I saw this at a supermarket in Sainsbury, UK," Robert Hugh Adams writes

    Did he really write that? I doubt it. Im pretty sure he said "I saw this at Sainsbury's in the UK".

    And dont give me "Oh, the American editor doesnt know British Supermarkets". Its called research, it takes but a second, and its the job of an Editor.

    Yes, what a tragedy! I'd demand my money back if I were you.

  • (cs) in reply to Andy Wilson

    9 does not equal 6, even for very low values of 9.

  • (cs) in reply to Hans
    Hans:
    waitrose, ftw
    While their stuff is nice, going there a lot does tend to indicate that you have (had?) too much money.
  • Leo (unregistered) in reply to More
    More:
    campkev:
    TRWTF is the stupid characters in the password. If someone is watching over my shoulder, they can pick up three letters a lot more easily than they can the whole password. Especially since most people type their password in about a second, and they are probably going to have to stop and think about the individual characters. With any kind of automated tool like a keylogger or packetsniffer, it ain't gonna make a difference. Plus, you either have to ask for the same three letters all the time or store the whole password in plain-text.

    I can't think of a single advantage of the enter the Nth character from your password, or than it "feels" more secure to anyone who knows nothing about security.

    Please tell me you are not serious.

    I'll repeat what Mr. B said (slightly modified): I see your "look over the shoulder attack" and raise you a keylogger.

    No string bets.

  • (cs) in reply to More

    um, a keylogger doesn't log individual characters?

  • (cs) in reply to campkev
    campkev:
    um, a keylogger doesn't log individual characters?

    Whadda ya gonna do with em?

    The keylogger doesn't know where the values fall in the password...it just knows three characters that are in your 6+ character password. It doesn't know which ones...so by the time you use those to figure it out, you've exhausted your login attempts.

  • (cs) in reply to Voodoo Coder
    Voodoo Coder:
    campkev:
    um, a keylogger doesn't log individual characters?

    Whadda ya gonna do with em?

    The keylogger doesn't know where the values fall in the password...it just knows three characters that are in your 6+ character password. It doesn't know which ones...so by the time you use those to figure it out, you've exhausted your login attempts.

    That would imply that they ask for different characters everytime. Which would mean they DON'T have the password stored in a one-way hash.

  • Anonymous (unregistered) in reply to campkev
    campkev:
    TRWTF is the stupid characters in the password. If someone is watching over my shoulder, they can pick up three letters a lot more easily than they can the whole password. Especially since most people type their password in about a second, and they are probably going to have to stop and think about the individual characters. With any kind of automated tool like a keylogger or packetsniffer, it ain't gonna make a difference. Plus, you either have to ask for the same three letters all the time or store the whole password in plain-text.

    I can't think of a single advantage of the enter the Nth character from your password, or than it "feels" more secure to anyone who knows nothing about security.

    LloydsTSB online banking makes you choose a password AND an additional piece of "memorable information" (which has different validation rules to your regular password, if I remember correctly). They then make you enter your password AND three characters of your memorable information whenever you log in. I have noticed that there are certain letters they never ask for - in other words, you could never work out every character of the memorable information by watching multiple logins. I would argue that this is a considerable increase in security over a password alone. However, the key point here is that your password and your "memorable information" are different. In essence, you have two passwords and one of them is never requested in full. This all makes for a highly secure system.

  • (cs) in reply to Voodoo Coder
    Voodoo Coder:
    The keylogger doesn't know where the values fall in the password...it just knows three characters that are in your 6+ character password. It doesn't know which ones...so by the time you use those to figure it out, you've exhausted your login attempts.

    Note that (if it's like the Natwest system) it does only ask for the password letters in order, so with enough sets of data (and knowing that they're all on the bank login page) you could create the original password without too much difficulty, but it requires lots of sets of data to do this, compared with just one set of data if the bank simply asks for the password.

    Strangely, restricting the number of used characters actually makes this harder to do, just using 20 random 'a' or 'b's makes it much harder than using 20 different characters.

  • (cs) in reply to campkev
    campkev:
    That would imply that they ask for different characters everytime. Which would mean they DON'T have the password stored in a one-way hash.

    Yes, they ask for different characters every time.

    Why should they store the password as a one-way hash?

    That only helps if some malicious person has access to the database. If someone malicious has access to the bank's database, they've got much bigger problems than someone being able to see what your password is.

    If Joe Hacker says 'Ooh, I've gained access to HSBC's database, let's see what campkev's password is', then they are seriously lacking in imagination...

  • (cs) in reply to Anonymous
    Anonymous:
    LloydsTSB online banking makes you choose a password AND an additional piece of "memorable information" (which has different validation rules to your regular password, if I remember correctly). They then make you enter your password AND three characters of your memorable information whenever you log in. I have noticed that there are certain letters they never ask for - in other words, you could never work out every character of the memorable information by watching multiple logins. I would argue that this is a considerable increase in security over a password alone. However, the key point here is that your password and your "memorable information" are different. In essence, you have two passwords and one of them is never requested in full. This all makes for a highly secure system.

    This is different from the system in the article, and yes, I would agree that it is more secure. of course, the not asking for a particular character is kind of pointless. If they never ask for it, then the bad guys don't need it.

  • (cs) in reply to pscs

    It depends on how Joe Hacker got access to the database, now doesn't it. Did he get the database from a backup off of a stolen developers laptop? Or did he somehow get access to the live database? In the second case, I agree with you, it makes no difference . However, in the first case, he can take an unencrypted password and log in as me and start transferring money out.

  • (cs) in reply to Anonymous
    Anonymous:
    LloydsTSB online banking makes you choose a password AND an additional piece of "memorable information" (which has different validation rules to your regular password, if I remember correctly). ... In essence, you have two passwords and one of them is never requested in full. This all makes for a highly secure system.

    And the one that's never requested in full is probably stored in plaintext, which negates the security.

  • (cs) in reply to campkev
    campkev:
    It depends on how Joe Hacker got access to the database, now doesn't it. Did he get the database from a backup off of a stolen developers laptop? Or did he somehow get access to the live database? In the second case, I agree with you, it makes no difference . However, in the first case, he can take an unencrypted password and log in as me and start transferring money out.

    OK, but if he got it from a backup off a stolen developer's laptop, you still have the fact that he now knows all the names and addresses of people with lots of money in their accounts...

    Of course, no one would ever lose a laptop with an important unencrypted database on, would they!

    The fact is that it is MUCH, MUCH more likely that a home user will have a keylogger on their PC, or will be daft enough to access their bank from an Internet cafe/kiosk, than that a bank would let a developer put a copy of a live database onto their laptop...

  • (cs) in reply to pscs
    pscs:
    Why should they store the password as a one-way hash?

    That only helps if some malicious person has access to the database. If someone malicious has access to the bank's database, they've got much bigger problems than someone being able to see what your password is.

    From the bank's perspective, that's true. But I'd prefer to not give my password to the people the bank has decided aren't malicious - sysadmins, dba's, random employees who have database access through some WTF, ...

    Yes, if they have database access, they can get to my bank info at that bank without needing my password. But what about all of the other places where I've used that same password, or a variant of it? Yes, I know, I should use a different password for every single site that wants one. But this is the real world, and in the real world there are too many sites, and my wife and I share access to them. So having totally unique passwords per site is not realistic.

    Because of that, every software product I've ever developed has had a strict requirement that passwords should never be stored in plaintext. Ever. In some cases, there were even requirements about how long a plaintext password could be kept in memory.

  • Zerbs (unregistered) in reply to stokessd
    stokessd:
    Is it just me, or does the MIT credit union chick have a giant sasquatch foot?
    Actually it looks like they've blurred her 2 feet together for some reason. At least I'm not the only one that noticed something was wrong there.
  • Anonymous (unregistered) in reply to RobFreundlich
    RobFreundlich:
    Anonymous:
    LloydsTSB online banking makes you choose a password AND an additional piece of "memorable information" (which has different validation rules to your regular password, if I remember correctly). ... In essence, you have two passwords and one of them is never requested in full. This all makes for a highly secure system.

    And the one that's never requested in full is probably stored in plaintext, which negates the security.

    This is only true if you can hack into LloydsTSB's backend in the first place. Good luck with that.

  • (cs) in reply to operagost

    Hehe... penetrating the backend.

    operagost:
    The real WTF is "per each". It's simply redundant and wrong. If the issue is a computer system that requires a unit for the item and automatically prefixes "per", then simply use "unit" or "item" for single, nonmeasured items. I guess I'm asking too much out of grocery store workers who hate their jobs.
    My guess is each item has a unit (kg, box, bottle, etc), with "each" being the default. For some reason it's failed to realize that the price per unit isn't valid for "each" and printed it anyway, and that field was NULL, which converts to NaN. Perhaps someone decided to manually type in "each" as a custom unit instead of selecting it from a menu.
  • (cs) in reply to RobFreundlich
    RobFreundlich:
    From the bank's perspective, that's true. But I'd prefer to not give my password to the people the bank has decided aren't malicious - sysadmins, dba's, random employees who have database access through some WTF, ...

    The passwords are probably stored using two way encryption, just not a one way hash.

    Anyway, using the same password for your bank as for anyone else is a huge WTF... I use the same passwords for lots of places, but the bank has something totally different. If you use the same password for your bank, then you are relying on every place you use that password to not store it in plain text anywhere (including logs). Doing that with a bank password is just foolhardy.

    I have 3 main passwords, an easy one for those sites which don't really need a password (eg forums etc), and a couple of harder ones for shopping websites (depending on whether they store my card details). On top of that, each online bank I use has a totally different (and much longer) password.

  • Bryan (unregistered) in reply to campkev
    campkev:
    Anonymous:
    LloydsTSB online banking makes you choose a password AND an additional piece of "memorable information" (which has different validation rules to your regular password, if I remember correctly). They then make you enter your password AND three characters of your memorable information whenever you log in. I have noticed that there are certain letters they never ask for - in other words, you could never work out every character of the memorable information by watching multiple logins. I would argue that this is a considerable increase in security over a password alone. However, the key point here is that your password and your "memorable information" are different. In essence, you have two passwords and one of them is never requested in full. This all makes for a highly secure system.

    This is different from the system in the article, and yes, I would agree that it is more secure. of course, the not asking for a particular character is kind of pointless. If they never ask for it, then the bad guys don't need it.

    Exactly. It doesn't matter how long your password can be if an attacker only needs 3 digits of it.

    Using other things the account owner knows, like digits of their PIN number or letters from their favorite pet's name, makes absolutely no difference. Their original password could have just as easily been a concatenation of this information.

    It doesn't matter where they come from; 3 digits, 6 digits or 9 digits are still just that. You can keylog or shoulder-surf that information just as easily as a traditional password. If you have a software keylogger in place, you could easily be capturing packets or the browser cache as well, so you would know which digits were entered if it does change. Even with only one session captured, if you go visit that bank website once a day until it asks for the same digits, you're in.

    I agree with the person who said this scheme only feels more secure to users who don't understand security.

  • BEF (unregistered)

    Am I missing something?

    You've forgotten your PIN or your password. Suggested solution -- re-register which requires that you know... your PIN AND your password. Genius!

    Side note -- it says it's a password for TELEPHONE banking so doesn't it have to be available to the telephone operators? So a one-way hash wouldn't work.

  • (cs) in reply to Anon
    Anon:
    Mark G:
    "I saw this at a supermarket in Sainsbury, UK," Robert Hugh Adams writes, "beyond the fact that I didn't quite expect to find silicon chips alongside the spuds, I think something's one less than expected!"

    Are you sure that isn't Sainsbury's supermarket in the UK? (sainsburys.co.uk)

    That was my though too. TRWTF is Alex not understanding the submission. Fancy somebody from Cleveland not knowing the names of all British supermarket chains. For shame.

    The issue is that it was edited as such. The original material was (we presume) correct, the editor made it wrong. That's a big mistake. I wouldn't expect an American to know British supermarkets, but I'd expect them to realise that "Sainsbury's" might be a business name not a place name, and thus to leave the text alone.

  • (cs) in reply to More
    More:
    campkev:
    TRWTF is the stupid characters in the password. If someone is watching over my shoulder, they can pick up three letters a lot more easily than they can the whole password. Especially since most people type their password in about a second, and they are probably going to have to stop and think about the individual characters. With any kind of automated tool like a keylogger or packetsniffer, it ain't gonna make a difference. Plus, you either have to ask for the same three letters all the time or store the whole password in plain-text.

    I can't think of a single advantage of the enter the Nth character from your password, or than it "feels" more secure to anyone who knows nothing about security.

    Please tell me you are not serious.

    I'll repeat what Mr. B said (slightly modified): I see your "look over the shoulder attack" and raise you a keylogger.

    Reraising to keylogger that also takes screenshots. Many do.

  • Anonymous (unregistered) in reply to m0ffx
    m0ffx:
    More:
    I see your "look over the shoulder attack" and raise you a keylogger.
    Reraising to keylogger that also takes screenshots. Many do.
    Wake up guys, if your local machine is compromised with malware then no amount of server side security is going to save you. All remote security relies on the assumption that the client machine is not under the control of malicious users. If you've got keyloggers and malware on your box, then your machine is under the control of malicious users. Server side security cannot possibly save you under these circumstances.
  • Anonymous Coward (unregistered) in reply to Mr B
    Mr B:
    I see your brute-force attack and raise you a keylogger.

    I see your keylogger, and raise suspicions as to who the heck put a keylogger on my computer!

  • (cs) in reply to Matt
    Matt:
    There's nothing wrong with 27-hour days...

    http://www.theonion.com/content/news/struggling_americans_forced_to

    I found a WTF trying to open this link. My company blocked it as R-Rated. I was curious, was it just the article that was NSFW? Nope: [image]

  • OldCoder (unregistered) in reply to ThomsonsPier

    [quote user="ThomsonsPier"][quote user="JC"they were hurtling down the M4 around J8.[/quote] Hurtling? I used to commute that way. The word you seek is 'crawling'.[/quote]

    Actually, M4 J8/9 is a whole WTF in itself. It's the only junction in the UK motorway network that has two numbers (on the same motorway, that is. I know where motorways cross they have different numbers) and the A404(M) which goes off it has only two junctions, numbered 9A and 9B. See http://pathetic.org.uk/current/a404m/ for details. In a subsequent life, I used to be a courier. That area drove me crazy.

  • (cs) in reply to pscs
    pscs:
    OK, but if he got it from a backup off a stolen developer's laptop, you still have the fact that he now knows all the names and addresses of people with lots of money in their accounts...

    Of course, no one would ever lose a laptop with an important unencrypted database on, would they!

    The fact is that it is MUCH, MUCH more likely that a home user will have a keylogger on their PC, or will be daft enough to access their bank from an Internet cafe/kiosk, than that a bank would let a developer put a copy of a live database onto their laptop...

    You are missing one of the big advantages of one-way hash. It not only protects the customer, it protects the bank. Customer is dumb enough to have is password stolen either through malware or just being dumb enough to write it down and lose it. He then claims that he didn't write it down and has no malware on his computer and is trying to blame an employee of the bank. Or bad guy who gets caught has a grudge against someone at the bank and "rolls over" on him to get a lighter sentence or just take someone else down with him. Life is a whole lot simpler when you can say, "Sorry, we don't even have access to your password ourselves."

  • (cs) in reply to Not a resident of Giggleswick, but I wish I were
    Not a resident of Giggleswick:
    "Piggly Wiggly" would be mildly pedestrian.
    As opposed to ragingly pedestrian, I suppose.
  • Septics Suck (unregistered) in reply to JC
    JC:
    Quote: "I saw this at a supermarket in Sainsbury, UK," Robert Hugh Adams writes

    Did he really write that? I doubt it. Im pretty sure he said "I saw this at Sainsbury's in the UK".

    And dont give me "Oh, the American editor doesnt know British Supermarkets". Its called research, it takes but a second, and its the job of an Editor.

    Reminds me of the chuckle I got the other day watching one of those stupid cop clip shows where the American narrator says "This clip comes from Thames, England". I assume he didnt mean the river, but he must have heard of it and not heard of the Thames Valley as they were hurtling down the M4 around J8.

    Or the American News Anchor who announces a story from Australia. The reporter begins by explaining they are in a town in New South Wales (a state in Australia - in fact the state Sydney is in, so hardly an obscure fact). Once the clip is finished, the Anchor points out to the audience "That story was in fact from New South Wales, and not from Australia."

  • Huh? (unregistered) in reply to RobFreundlich
    RobFreundlich:
    pscs:
    Voodoo Coder:
    What if your password is 6 characters?

    Yes, but by then you've entered your username/account number/whatever, so it knows how long your password is.

    Please, please, please tell me that the database has a one-way hash of the password, plus the length in a separate field, rather than the actual plaintext password.

    How's that gonna work?

    Wouldn't it need your ENTIRE password to recreate the hash (if it used one)?

    <TROLL!!!!> Maybe they've hashed each character individually. </TROLL!!!!>

  • Johnno (unregistered) in reply to Mr B
    Mr B:
    Bryan:
    TRWTF is why the bank doesn't ask for your entire password.

    If the bank had you enter your entire password, which could be up to 20 characters long. It could simply compare a hash and a brute force attack on your password would have at least (26 + 10) ^ 20 = 13,367,494,538,843,734,067,838,845,976,576 possible passwords to try. That's if the password isn't case sensitive.

    If they only ask you for 3 characters from your password, an attack only has 46656 possibilities to try.

    The can ask for only 3 without storing the plaintext if it's the same 3 characters every time (worst case).

    They can at least rotate which characters you're prompted for, hopefully randomly, if they do store the whole plaintext.

    I see your brute-force attack and raise you a keylogger.

    I see your Keylogger, and take some happy snaps of your screen....

    As for CAPTCHA - I almost always seem to have seen the ones people always come up with, adn have almost always thought similar things to what they do. I guess I'm not all that original after all....(I'm unique - just like everybody else)

  • Bill (unregistered) in reply to Voodoo Coder
    Voodoo Coder:
    campkev:
    um, a keylogger doesn't log individual characters?

    Whadda ya gonna do with em?

    The keylogger doesn't know where the values fall in the password...it just knows three characters that are in your 6+ character password. It doesn't know which ones...so by the time you use those to figure it out, you've exhausted your login attempts.

    But assuming you don't find the keylogger over some period of time, and that the bank always asks for the earliest characfter first, you can start to build up likely combinations.

    That being said, people who want to steal your bank information have learnt that hacking a large network is more profitable - they can potentially get LOTS of bank information. A (standalone) home computer is of little interest to them (Consider how many people do banking at work - sure it's (supposed to be) harder for hackers to get in, but the rewards are far greater.

    Frankly, if you're not running software to find and remove loggers and screen dumpers then you can't really complain. The best security a bank can have are the remote tags that generate a session code (my bank will send something to my mobile for change of detail 'transactions'). Someone then needs to know your details AND steal your token/phone....

  • BINGO (unregistered) in reply to BEF
    BEF:
    Am I missing something?

    You've forgotten your PIN or your password. Suggested solution -- re-register which requires that you know... your PIN AND your password. Genius!

    Side note -- it says it's a password for TELEPHONE banking so doesn't it have to be available to the telephone operators? So a one-way hash wouldn't work.

    I don't think banks really understand telephone passwords. When I created one with my bank, they never asked be how to spell it - yet each time since then they have. How do I spell a password that I didn't spell in the first place? The spelling SHOULD be irrelevant. This means the operator shouldn't have to enter it into their terminal, rather it should appear on screen with the rest of your information - you just have to pray that the person who originally entered your verbal password and the person now requesting it are on the same wave-length (try using something like lieutenant in places where some people pronounce it 'left-tennant')...Never really understood the point of verbal passwords.

    As for encrypting the password, if it reallty is necessary, then even reasonably weak encryption may suffice. Unlike with encrypted text in large chunks, the frequency of letters in passwords is not the same as in normal english (vowels score much lower). While I wouldn't user a simple shift cipher, it would probably sufficient to have a string of 10 (or more - less than 26 in this case) characters, and 'add' the password to the first n of these characters (repeating them if necessary). Frequency attacks would be hindered not only by the extra options (numbers, both upper and lower cases and special chars), but also by the fact that the frequency distribution of letters is greatly changed from the norm (although I'd say something like @ would be a VERY frequent character)

  • mane (unregistered) in reply to Anonymous
    Anonymous:
    m0ffx:
    More:
    I see your "look over the shoulder attack" and raise you a keylogger.
    Reraising to keylogger that also takes screenshots. Many do.
    Wake up guys, if your local machine is compromised with malware then no amount of server side security is going to save you. All remote security relies on the assumption that the client machine is not under the control of malicious users. If you've got keyloggers and malware on your box, then your machine is under the control of malicious users. Server side security cannot possibly save you under these circumstances.

    So why do they try? Password entered in a text box should suffice. Why do banks require clicking patterns (or changing keyboards) on the screen. Why do they appear to spend so much time to appear secure - multiple failure=logout to combat brute force, this sort of stuff to avoid loggers, etc...

    Maybe people are right - so that the customer has a SENSE of security, rather than actually having security.

    I can detect how much light is coming off the monitor from a distance and work out what's on the screen from there....

  • Someone (unregistered)

    TRWTF is that the title for this story is "Sooo Jealous " (note the extra space).

  • Irving (unregistered) in reply to BINGO

    Oh wow.

    I don't think you really understand passwords, security, or cost-effectiveness in relation to business.

    Please, please, please be a troll (especially regarding 'The spelling SHOULD be irrelevant,' 'it should appear on screen with the rest of your information,' and the whole encryption weirdness).

  • Blockhead (unregistered) in reply to Irving
    Irving:
    Oh wow.

    I don't think you really understand passwords, security, or cost-effectiveness in relation to business.

    Please, please, please be a troll (especially regarding 'The spelling SHOULD be irrelevant,' 'it should appear on screen with the rest of your information,' and the whole encryption weirdness).

    I assumed he meant it should appear on the screen of the bank person, not the user (who is on a telephone, not a computer)...

    But strange, nonetheless

  • Wireghoul (unregistered) in reply to pscs
    pscs:
    Voodoo Coder:
    What if your password is 6 characters?

    Yes, but by then you've entered your username/account number/whatever, so it knows how long your password is.

    You'd be complaining if your password could be between 6 and 20 characters, but it only ever asked you for the first 6 characters!

    So a malicious attacker would repeatedly supply the username and be told how long the password he needs to crack will be. Convenient!
  • Anone (unregistered)

    I think the point is that he provided the password verbally when it was being set up without being asked for the spelling. Now he's being requested to spell it while using it, he's relying on the person who originally entered it to have spelt it correctly (considering that he has apparently managed to do this several times, I'd assume this was the case). This is a stupid way of going about things.

    I think the problem is probably with not being asked to spell it originally though. If that was by design and the screen displayed the password to cope for it, it would be potentially possible for a charismatic malicious person to trick their way into using the right password.

  • Matt (unregistered)

    Did anyone else pick up that asking a user to enter the Nth character of a password guarantees that the bank is storing passwords in cleartext?

  • unlikely (unregistered) in reply to RobFreundlich

    Must be a pretty special one-way hash algorithm if it can get the same result from both the full password, and only three letters thereof. (Or else it only stores three letters of the password?)

    At best, the three letters are stored in something you could almost certainly rainbow-table in a hurry.

  • Some One (unregistered) in reply to Matt
    Matt:
    Did anyone else pick up that asking a user to enter the Nth character of a password guarantees that the bank is storing passwords in cleartext?

    While it suggests they, it doesn't guarantee it....

    They may hash each character (or append something to it and then hash it).

    They might be enciphering using basic encryption (substitution, shift, etc).

    Expensive, but not impossible.

  • Fred Bob (unregistered) in reply to Some One
    Some One:
    Matt:
    Did anyone else pick up that asking a user to enter the Nth character of a password guarantees that the bank is storing passwords in cleartext?

    While it suggests they, it doesn't guarantee it....

    They may hash each character (or append something to it and then hash it).

    They might be enciphering using basic encryption (substitution, shift, etc).

    Expensive, but not impossible.

    Not even expensive if it's simple encryption.

    I suppose you start to consider why you encrypt/hash things (as mentioned by a plethora of people before me). Given the pin is (presumably) hashed, they can verify that the user knew the pin, so there is little fear that someone inside the bank is playing shonks.
    If someone breaks their system to get a plaintext password, they would probably be able to get into far more interesting information than account details - in fact, they're probably in far enough to do everything a password would allow them to - and more.

  • Irving (unregistered) in reply to Blockhead

    I assumed he meant it should appear on the screen of the bank person, not the user (who is on a telephone, not a computer)...

    And there are very good reasons for the bank person not seeing it, too. That was my point there.

  • WackyD (unregistered)

    I think the screen shot of ulster bank is particularly generous one I know I've tried to log on and I've been asked for the 5th, 1st and 10th digits of my password, effectively meaning you have to go through your password three times for a single log on, get it wrong twice and you're lock out and have to go through quiet a pain process to get your account unlocked, I really think it's one of those log on systems that you have to see in action to believe.

Leave a comment on “Sooo Jealous ”

Log In or post as a guest

Replying to comment #:

« Return to Article