ShawnElseworth Wrote:jonat Wrote:So to me this looks that the bank does not have access to the clear text password.
I think you give far too much credit to the capabilities of ALL of these banks individual application developers security expertise, as well as assuming, with no evidence whatsoever, that they a) have done something like what you describe, and b) have done so with rigorous secuirty evaluation, review, and testing, c) have correctly implemented the mechanism with zero defects, and d) have the testing/audit logs by an independent security review entity to prove it.
Sorry, I've seen far too many "not invented here", security through obscurity, and egotistical crypto dillettante wannabes in my experience to think that what you describe is anywhere close to the possible "floor" of expectation when it comes to security, and in particular, bank security. And to be blunt, Europe in particular is full of that SDLC culture, in my experience.
Chopping up your password and encrypting it one character at a time is
still encrypting it. And anything that can be encrypted, can be
decrypted. If I have a test for each individual character of your password, then I have a way to "decode" your password, one character at a time, as a simple matter of provable fact.
And you've offered no guarantees or even a way to evaluate th "correctness" of whatever home-cooked sooper-dooper-secret-sauce method the web developer has cooked up. And you certainly cannot point to any public peer-reviewed mechanisms or standards defining such a mechanism. Which does not bode well for whatever imaginary "security" such an undisclosed method claims to correctly implement.
If the idea is that you are to provide some identifier verification, then it should not be confused with authentication or require in any way, the possession of a value that only you possess, in any form, encrypted or spread about in split knowledge.
This is also the reason I have very, very significant and sincere reservations about why LastPass, by design, requires that the same password used to access the LastPass website and download your vault
MUST also be the same as the password you use to decrypt your vault. That decision is such a poor security decision, it seriously strains the credulity of every single one of the other security claims made by LastPass. That concept of privileged action should NEVER be overloaded with the same credential you use for some lesser security activity. That's security 101, and IMO, LP really misses the mark on that one.