Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.

I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)

Is there any secure way that this could be happening? Or are the companies storing my password in plain text?

  • Ravi@feddit.de
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    There are at least two components relevant for entering credentials:

    • the webclient running on your pc/phone

    • the company server

    You open a registration page on a website and your browser downloads the application to your device (just like downloading an app from a store).

    The application gives you a form to create an account or a login page where you enter the password/username.

    The client then checks if the credentials you entered contain the correct amount of special characters and numbers.

    Only after that the credentials are hashed/encrypted and send to the server.

    • El Barto@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      You didn’t read the post’s description.

      How is it possible that a company asks you to provide the second letter of your password to prove identify? Surely this would either mean the passwords are stored unencrypted. Or they’re using some other form of very dubious security.

      • Ravi@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Sorry, I misunderstood your post. They could do this by doing the process I described above AND storing parts of your password. Without further research, this sounds insecure though.

        E.g. your password is: SuperSecure? The hash of your password is: 15837A4C3B Your client sends the hash and the characters 0,2,4 to the server: S p r They can then ask you for single digits of the password.

        Another possibility is that they could encrypt the characters with a key to build a more secure value to transmit. As the others have said, this is possibly unsecure too.

        In general: it’s services are either comfortable to use or secure. You can achieve both on a basic level, but not on a higher level.

        • El Barto@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Is not “possible” insecure. It’s wildly insecure. Encrypting single digits? I mean, anyone could bruteforce them by hand alone.

          • Ravi@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Funny thing is: I’m probably quicker typing a 20 character password than finding out which symbol is at index 5.