1

Got this when requested to enter my password. How is something like this enhancing security ? Is it each time taking random set of index locations and compare it's hash against a database?

enter image description here

cyzczy
  • 1,548
  • 5
  • 23
  • 36
  • 1
    Hard to say, but it is possible to implement partial password checks securely, but it's easier to implement them insecurely. However, if your password length is revealed in this, it might actually be providing extra information to an attacker. – Matthew May 18 '17 at 11:25
  • @Matthew I did a quick search for "securely implement partial password checks" (which caused me to find the possible duplicate). Do you have examples, or the names of known algorithms that implement these securely? I'd be interested in learning more. – S.L. Barth May 18 '17 at 11:38
  • 1
    @S.L.Barth Not specifically an algorithm, but if you have a HSM which enforces write-only for password strings, and a checking function which specifically requests the same characters until provided, an attacker wouldn't have any easy way to obtain the full password. Combine this with a rate restriction and account lockout, and you end up with a scenario where an attacker can make a limited number of guesses against a limited subset of the full password, which is probably better than an unlimited number of guesses against the password's hash, in the long term. Not cheap to implement though. – Matthew May 18 '17 at 12:47

1 Answers1

2

It is a kind of challenge-response protocol, which means that if an eavesdropper manages to read the communication, they'll only have part of the password.
In the same way, it offers a little protection against shoulder surfing.

Whether this really enhances security is open for debate. Eavesdropping should be prevented by proper use of TLS.

One drawback is that the server must know at least part of the plaintext password. Or hashes of several parts of the passowrd, which effectively splits a long password in several smaller ones that are easier to brute-force.

Also, as @Matthew points out in their comment, this might give away the length of the password to an attacker, if the password interface is poorly implemented.

I'm generally in favor of challenge-response protocols for authentication and identification, but this seems a poor implementation of one.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47