mike808137 Wrote:The proof is that if they are selecting any arbitrary/random character from your password to compare against the unencrypted value, then they *must* have knowledge of your actual password value.
jonat Wrote:If they can check individual characters of your password, they must have a way of recreating your password. This means at best encryption using a shared key and not hashing. With hashing, there is no way to reconstruct the password from the hash - this is the secure method. (Assuming use of a good hash algorithm properly implemented.) Even if they have encrypted your password, it can be decrypted - either by them or by a hacker who obtains the common key.
ShawnElseworth Wrote:jonat Wrote:So to me this looks that the bank does not have access to the clear text password.
mike808137 Wrote:ShawnElseworth Wrote:jonat Wrote:So to me this looks that the bank does not have access to the clear text password.
I think you give far too much credit to the capabilities of ALL of these banks individual application developers security expertise, as well as assuming, with no evidence whatsoever, that they a) have done something like what you describe, and b) have done so with rigorous secuirty evaluation, review, and testing, c) have correctly implemented the mechanism with zero defects, and d) have the testing/audit logs by an independent security review entity to prove it.
Sorry, I've seen far too many "not invented here", security through obscurity, and egotistical crypto dillettante wannabes in my experience to think that what you describe is anywhere close to the possible "floor" of expectation when it comes to security, and in particular, bank security. And to be blunt, Europe in particular is full of that SDLC culture, in my experience.
Chopping up your password and encrypting it one character at a time is still encrypting it. And anything that can be encrypted, can be decrypted. If I have a test for each individual character of your password, then I have a way to "decode" your password, one character at a time, as a simple matter of provable fact.
And you've offered no guarantees or even a way to evaluate th "correctness" of whatever home-cooked sooper-dooper-secret-sauce method the web developer has cooked up. And you certainly cannot point to any public peer-reviewed mechanisms or standards defining such a mechanism. Which does not bode well for whatever imaginary "security" such an undisclosed method claims to correctly implement.
If the idea is that you are to provide some identifier verification, then it should not be confused with authentication or require in any way, the possession of a value that only you possess, in any form, encrypted or spread about in split knowledge.
This is also the reason I have very, very significant and sincere reservations about why LastPass, by design, requires that the same password used to access the LastPass website and download your vault MUST also be the same as the password you use to decrypt your vault. That decision is such a poor security decision, it seriously strains the credulity of every single one of the other security claims made by LastPass. That concept of privileged action should NEVER be overloaded with the same credential you use for some lesser security activity. That's security 101, and IMO, LP really misses the mark on that one.
To support the partial protocol the implementation will need to either store plain-text for the password, or devise a mechanism for performing one-way checks on all combinations that might be queried (which can be a large number for long passwords).
mike808137 Wrote:I noted someone said it is only part of the login, in that you have to provide your full password in one place and then in some other place, they only ask you for some random character(s) from the password you entered earlier.
I'm not sure that's of any actual security benefit - if the bad guys already know your entire password, they can certainly enter the partial characters any other time. It is also trivially provable that they MUST BE STORING A DIRECT COPY YOUR PASSWORD - one that can be STOLEN and COPIED WITHOUT THEIR KNOWLEDGE. That's the entire point of a password breach.
Users browsing this forum: Bing [Bot], Google [Bot] and 27 guests