No Stupid Questions @lemmy.world pandarisu @lemmy.world 1 yr. ago

Is it possible to safely check for certain characters in a password?

Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn't know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I've noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

You're viewing a single thread.

93 comments

There are at least two components relevant for entering credentials:

the webclient running on your pc/phone

the company server

You open a registration page on a website and your browser downloads the application to your device (just like downloading an app from a store).

The application gives you a form to create an account or a login page where you enter the password/username.

The client then checks if the credentials you entered contain the correct amount of special characters and numbers.

Only after that the credentials are hashed/encrypted and send to the server.
- You didn't read the post's description.
  
  How is it possible that a company asks you to provide the second letter of your password to prove identify? Surely this would either mean the passwords are stored unencrypted. Or they're using some other form of very dubious security.
  
  Sorry, I misunderstood your post. They could do this by doing the process I described above AND storing parts of your password. Without further research, this sounds insecure though.
  
  E.g. your password is: SuperSecure? The hash of your password is: 15837A4C3B Your client sends the hash and the characters 0,2,4 to the server: S p r They can then ask you for single digits of the password.
  
  Another possibility is that they could encrypt the characters with a key to build a more secure value to transmit. As the others have said, this is possibly unsecure too.
  
  In general: it's services are either comfortable to use or secure. You can achieve both on a basic level, but not on a higher level.
  
  Is not "possible" insecure. It's wildly insecure. Encrypting single digits? I mean, anyone could bruteforce them by hand alone.

You've viewed 93 comments.