0

I see various sites using this kind of security(?): enter image description here

Maybe it's only specific to my country (France): I never saw this elsewhere. I have to click on 6 number (the password generated by this kind of services are only 6 numbers, it was sent in an email and I can't change it) and the ordering of these numbers changes on every refresh.

What is the purpose of this kind of security? Is it secure in any way? I mean is it more secure than a classic 16 alphanumeric password without this bunch of button and JS code?

"Mot de passe" = "password"

P.S.: I can edit my question if something is unclear, maybe I forgot some context.

rap-2-h
  • 185
  • 5
  • 3
    Possible duplicate of [Does random online keyboard increase security?](https://security.stackexchange.com/questions/163012/) and [What is the idea of passwords with random buttons position](https://security.stackexchange.com/questions/152128/). – Steffen Ullrich Nov 20 '17 at 11:06

2 Answers2

2

Officially, that is an attempt to foil keyloggers. In practice, it is just a way to give the user a sense of security by making them jump through hooks: it doesn't provide any practical improvement to the system's security.

Edit: Just to clarify: providing the user with a sense of security is a very valid design goal as long as the designer know this and implement real security behind the scene. For instance, if there is a really secure login scheme implemented but the user never sees it (because it is completely transparent to them) then implementing such security theater tricks will make plenty of economic sense (but it does not improve security).

Stephane
  • 18,607
  • 3
  • 62
  • 70
1

At my sens, this has two main purposes:

1- No keylog can report your password since no keyboard hook can be possible (you are not using your native keyboard)

2- No automatic "clicks" could be done due to the "randomness" of the buttons position

Soufiane Tahiri
  • 2,667
  • 13
  • 27
  • 1
    1 - Screen capture plus mouse events monitoring and you have the equivalent of the keylogger. 2 - Screen capture plus simple OCR and the randomness is gone, malware knows where are every digit. This is just a case of *security theater*... – ThoriumBR Nov 20 '17 at 12:40
  • I agree, but stills stop lot of "basic" malware :) – Soufiane Tahiri Nov 20 '17 at 12:48
  • @SoufianeTahiri Actually, it doesn't. it stops maleware written by complete novice, not the serious ones. Banking services are not (and should not be) designed to stop novice attacks but experts attacks. that is why it is purely a case of security theater. – Stephane Nov 20 '17 at 15:32
  • I see what you do want to say and I agree :) – Soufiane Tahiri Nov 20 '17 at 15:36