30

In some password-authenticated sites, you are asked to enter a random selection of specific characters from your password rather than the whole word/phrase. For example, it might say 'Enter the 1st, 4th and 8th letter' and provide three separate input boxes.

From what little I know of security mechanisms, I would have expected this to be less secure than entering the whole password, salting + hashing it and comparing it to the stored hash, as there is no plain text anywhere in sight.

This system is used by (hopefully) very secure websites, though, including certain bank sites in the UK.

So my two-part question is, is this as secure as traditional salt/hash comparison and why is it so?

Alex
  • 505
  • 1
  • 5
  • 9
  • 10
    This means that the site is storing the password in plaintext, or else it is impossible to compare and verify the password character-wise. Unless there's a new kind of encryption that I'm not aware of.. –  Sep 23 '11 at 09:50
  • 2
    Horribly insecure as a password (the whole string needs to be stored somewhere), but useful *in addition* to a real name+password (the user needs to know username, password and the security code, yet even if there's a keylogger, the attacker only gets a part of the security code; the hope is that different part of the code will be required next time). I know a bank that used this as a 1.5-factor authentication (so to speak), before cellphones were common. – Piskvor left the building Sep 23 '11 at 09:51
  • 3
    I'd stay away from such a bank. – Heisenbug Sep 23 '11 at 09:54
  • 1
    @Piskvor These characters are admittedly asked for after a previous secret pass is verified (but that is just birthday + 4 digits so _most_ of it could be found if the attacker knows anything about the person). I hadn't thought of the keylogger, though, that's interesting. Could this dual-level authentication be more secure than just a normal salted/hashed pass? –  Sep 23 '11 at 09:56
  • 3
    @Jin and Piskvor the password doesn't need to be stored as cleartext, and I really hope it's not. See [Partial passwords - How?](http://www.smartarchitects.co.uk/news/9/15/Partial-Passwords---How.html). –  Sep 23 '11 at 10:12
  • @Piskvor thanks, I'll check the security.SE, didn't realise there was one but should have looked! :) –  Sep 23 '11 at 10:24
  • @captaincomic: Hmmm, that is clever indeed; I'd still be worried about the low entropy of the pass-code, when used by itself (as the article also notes). – Piskvor left the building Sep 23 '11 at 10:42
  • @captaincomic, your scheme is totally insecure, when used with the parameters mentioned in this question. It is storing passwords in an obscure format that is plaintext-equivalent. With your scheme, given a guess at any 3 characters of the password and the data in the database, I can test whether my guess is correct or not. This enables me to find the first 3 letters of the passphrase with a simple brute-force attack (try all possibilities), then find the 4th with another brute-force, and so on. Reversing the database to recover the original passwords will be extremely fast. – D.W. Sep 26 '11 at 02:19
  • It's particularly insecure if it chooses the character positions to ask randomly on each request, since an attacker who doesn't have the whole password (but has enough) can refresh the login page until it requests only characters that they have. (I know of one Irish bank that does this, asking 3 *digits* out of 5, but it combines it with a secret registration number. In this case, if an attacker intercepted only 1 login, they'd have a 10% chance per attempt, of being asked for the digits they had.) Of course, asking the same characters each time makes brute forcing those characters easier. – John B. Lambe Jul 09 '18 at 19:09

3 Answers3

39

This method of password entry is popular in bank sites in Poland. It's called masked passwords. It's meant to protect from keyloggers - and keyloggers only. The password transmission itself is protected from sniffing with SSL, so the reasoning is that if keylogger is installed on client's device, it will never get access to the full password.

However, this logic has a few flaws:

  1. Attacker needs to enter fewer characters (e.g. only 4 characters, often numbers only) for a single try. Therefore it's easier to brute force this authentication step. That is why masked passwords need to be paired with account lockout policy.

  2. With just a few known characters at certain positions (e.g. gathered by a keylogger/screengrabber) attacker can simply try logging in when the server chose positions he knows and refresh when others were chosen. So often masked passwords implementation stores the positions choice for an account server-side for certain amount of time (e.g. a day) until successful authentication.

  3. Getting to know the whole password only needs capturing a few successful authentications (e.g. when password length is 12 and there are always 4 positions chosen, it usually takes 8 tries), so a keylogger/screengrabber will get it - it will just take a little bit longer.

  4. The biggest threat for Internet banking authentication is malware (man-in-the-browser attacks) like ZeUS or SpyEye and this kind of software usually conducts social engineering attacks that totally overcome masked passwords scheme. For example, this software can:

    • ask for a whole password
    • display a fake password change form after fake authentication
    • simulate password entry errors and redisplay the form with other positions to fill to get full password in 2-3 tries

Masked passwords are being difficult to handle for users and tricky to implement correctly. At the very least developers need to add account lockout policy, positions choice storage and partial hashes.

Contrary to popular belief, masked password, especially in e-banking sites, though they offer protection from basic keylogging, completely fail to other, more prevalent threats like malware utilizing social engineering.

Krzysztof Kotowicz
  • 4,068
  • 20
  • 30
  • 3
    I logged in to one of the Polish banks before a minute and decided to check how masked passwords can be implemented together with hashing. And then google pointed me to this answer :) – Tomasz Zieliński Oct 27 '12 at 15:01
  • 1
    [Bruce Schneier says](https://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html) that _password masking_ refers to UI practice of showing a row of dots instead of plaintext password. All of other 2 [google search results](https://www.google.pl/search?q=masked+passwords) that I studied, also adhere to that terminology. – vucalur May 06 '17 at 23:37
  • re:1 implementing lockout policy is not limited to masked password and therefore it's not its flaw re:2 yes, it's additional complexity, but if the attacker knows only certain positions, s/he cannot attack at any time re:3 8 tries is still more that one try, so that's not a flaw :) re:4 providing the whole password is not more secure against malware - again it's not a flaw. So the summary should rather say "The masked password method is a bit more (but not much more) secure than the whole password method at the cost of a bit higher implementation complexity" – marchewek Dec 03 '19 at 20:22
10

I know one online banking website, that asks first for a password (numbers and characters), and then you have to enter with your mouse two digits of a second 6-digit password (numbers only). You are presented with a numpad on the sceen and click on the numbers.

The reasoning behind this is that it is (probably) harder for malware to track your mouse movement than it is to log your key presses.

In the above example it's obviously more secure than just a single password.

In the situation that you describe, where one has to enter only specific characters of a password by keyboard, the reasoning could be that if someone logs or phishes your input he still doesn't have your whole password.

I (can only) guess that the mechanism used to validate the input is secure, you still can use hashing if you store a hash of every possible input combination.

Here is a short wikipedia artical about partial passwords, that mentions this.

Dario Seidl
  • 279
  • 2
  • 9
6

A side note about asking specific characters is that users might type password on paper or worse - in notepad - just to be sure that they enter proper letters. As failing to do so will result in account lock.

Example:

  1. Banks might warn users to use strong passwords
  2. User creates strong password, lets say CorrectHorseBatteryStaple
  3. Now bank ask #4, #10 and #16 letter of password
  4. While it's easy on paper/notepad, it might be hard to count which letter is which in memory.

As a result users instead of remembering passwords, store them on paper with numbered letters :) (or in text file!)

PeterM
  • 241
  • 3
  • 12
  • This is somewhat mitigated by using a password manager, which should be recommended. Of course, the use of a password manager can also decrease the threat of a keylogger, and more importantly, the bank would have no way of verifying that that is actually the case, even if they recommend it. Side Note: I'd recommend more than 44 bits password entropy for critical applications. I've been using 20 char base64 passwords, but if the user was going for "easy to remember", 1 base64 char after each word brings the entropy up to 68 bits ideal, which is much better. Maybe add 1 more word/char chunk too. – timuzhti Jan 03 '17 at 09:02
  • 1
    Not sure how password managers could help with partial passwords? Maybe some advanced ones support it? – PeterM Jan 03 '17 at 09:13
  • Well, it isn't any harder than counting on notepad. I don't know any password managers that can't show the password. Click at the beginning, and move the cursor right slowly even. – timuzhti Jan 03 '17 at 09:35
  • Ah, alright, but still screen grabber could read it - and main purpose of partial passwords is protection from malware infected computer. – PeterM Jan 03 '17 at 10:29
  • The implementations I've seen only ask for three letters selected only from the first six and the last two characters of your password, no matter how long it is. This partially mitigates your concern. –  Oct 26 '18 at 01:30
  • 1
    CorrectHorseBatteryStaple isn't THAT bad... what's far worse is when a banking site asks for specific characters AND asks for a strong password (lower and uppercase letters, numbers, digits AND a length requirement). Good luck remembering which character is which then without writing that down. – MBender Apr 08 '20 at 08:12