Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

  • andrew@lemmy.stuart.fun
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    The most secure way this could happen is them storing the specific character separately. It reduces security of your password if that plaintext character is compromised but you could still store the rest of the password securely.

    You could even salt and hash the one character with a large salt to keep it behind a one-way function, and then the agent would need to enter it and confirm via the system, but that would reduce any downside of the one or two characters being compromised.

    It’s weird either way though.