top | item 21722593

(no title)

isostatic | 6 years ago

"Not just the 4th and 17th character - the whole thing"

If any company asks for the 4th character of your password, that means they are storing your password in a reversible fashion, and they should be dumped.

The online account should never be logged in by anyone other than the owner. The person on the phone, if their job requires it, should have read/write access to your account, but that should be audited as "Joe Bloggs" accedsing the account

discuss

evanb|6 years ago

It's hard to dump the water company.

ben_w|6 years ago

I think, in the UK, the only way to dump a water company is to move house. Regional monopoly?

im3w1l|6 years ago

Using a password that is unique (and highly dissimilar from any other password of yours), can prevent almost all harm from having it stored in plaintext.

SketchySeaBeast|6 years ago

While that is true, that's blaming the user for choosing bad passwords, and not the system for keeping the systems safe, which is an implicit guarantee - I'm giving you this secret key, your job is to keep it safe.

The only reason we need unique passwords is because the system can't hold up its end of the bargain.

Edit: And in hindsight, I was wrong in calling it a bad password from the user - the only reason it's necessarily bad is because it has been compromised. If I use the same sufficiently complex brute-force proof password everywhere, we can safely say I've held up my bargain, but a single data breach completely removes that otherwise impenetrable defense.

isostatic|6 years ago

If it's stored in a reversable fashion, it means somebody can pretend to be me, therefore auditing is meaningless.

mstade|6 years ago

First Direct (a UK bank, subsidiary of HSBC I believe) also does this, and it drives me nuts. Terrible bank, never get an account with them.

CM30|6 years ago

Natwest also does this with its login system (the whole 'enter the X, X and Xth characters from your password' thing).

Seems like it may be an unfortunate 'trend' for banking services in this country.

wdb|6 years ago

LLoyds the same. I think it's a UK thing

tonyedgecombe|6 years ago

And TSB.

thehappypm|6 years ago

That's not necesarily true. They could store a full password hash and a hash of the 4th and 17th character separately.

pornel|6 years ago

Hashes can't protect the content if it's feasible to enumerate all possible values of the content.

You can't hide individual letters of alphabet with a hash. Not even with a salt and an expensive hash. It's a hopeless case where a brute-force attack takes only 26 times (or 676 for a pair of letters) longer than a comparison you do during normal operation.

BTW: it's also not possible to use hashes to hide/anonymize phone numbers or IP addresses. The attacker can generate hashes of all possible values and see which one is it.

brycesbeard|6 years ago

They could hash the full password and just store the two characters in clear text, no?

tonyedgecombe|6 years ago

A hash of individual characters would be susceptible to a rainbow attack.

trevyn|6 years ago

Maybe they’re just storing the 4th character in a reversible fashion. ;-)

rumanator|6 years ago

Ah, the password length of 1.

robk|6 years ago

Lol try dumping a monopoly