I’ve only seen this as a second factor after entering a full password. Although it has mostly been replaced by actual 2FA now. Last time I remember this type was on the uk gov student finance website
this post was submitted on 11 Jul 2023
0 points (NaN% liked)
No Stupid Questions
35316 readers
696 users here now
No such thing. Ask away!
!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must be legitimate questions. All post titles must include a question.
All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.
Rule 2- Your question subject cannot be illegal or NSFW material.
Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding META posts and joke questions.
Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.
On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.
If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.
Rule 7- You can't intentionally annoy, mock, or harass other members.
If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here.
Credits
Our breathtaking icon was bestowed upon us by @Cevilia!
The greatest banner of all time: by @TheOneWithTheHair!
founded 1 year ago
MODERATORS
The 2 occasions I can think of, it was characters from my main password. Both were during contact with the Support teams. I no longer have service with either of the companies (due to unrelated reasons)
Did you have to give those characters directly to the support staff?
On one occasion, yes, over the phone.
The other I was in a web chat on the company's website and they provided a link to a page on the same website where it asked for the characters
Even if they somehow manage to secure the password properly while still being able to know a specific character from that password, having support staff handle that information directly seems very very fishy. All in all, it doesn’t speak for their security practices. Even if they have sone form of protection for the specific characters stored separately, it would reduce the overall security because parts of your passwords are more easily guessable. In the worst case they simple store your pw in plain text and on top of that they might supply that information to the support staff.
There are at least two components relevant for entering credentials:
-
the webclient running on your pc/phone
-
the company server
You open a registration page on a website and your browser downloads the application to your device (just like downloading an app from a store).
The application gives you a form to create an account or a login page where you enter the password/username.
The client then checks if the credentials you entered contain the correct amount of special characters and numbers.
Only after that the credentials are hashed/encrypted and send to the server.
You didn't read the post's description.
How is it possible that a company asks you to provide the second letter of your password to prove identify? Surely this would either mean the passwords are stored unencrypted. Or they're using some other form of very dubious security.
Sorry, I misunderstood your post. They could do this by doing the process I described above AND storing parts of your password. Without further research, this sounds insecure though.
E.g. your password is: SuperSecure? The hash of your password is: 15837A4C3B Your client sends the hash and the characters 0,2,4 to the server: S p r They can then ask you for single digits of the password.
Another possibility is that they could encrypt the characters with a key to build a more secure value to transmit. As the others have said, this is possibly unsecure too.
In general: it's services are either comfortable to use or secure. You can achieve both on a basic level, but not on a higher level.
Is not "possible" insecure. It's wildly insecure. Encrypting single digits? I mean, anyone could bruteforce them by hand alone.
Funny thing is: I'm probably quicker typing a 20 character password than finding out which symbol is at index 5.
I'm assuming they're plain text. There's is no perceivable way they can only use those data points to to figure out which hash it is. Unless of course they're using their own "hashing" function which isn't secure at all since it's probably reversible.
Perhaps they validate the passwords client side before hashing. The user could bypass the restrictions pretty easily by modifying the JavaScript of the website, but the password would not be transmitted un-hashed.
It is worth pointing out that nearly any password restriction like this can be made ineffective by the user anyway. Most people who are asked to put a special character in the password just add a ! to the end. I think length is still a good validation though and it runs into the same issue @randombullet@lemmy.world is asking about
How would they validate individual characters client side? The set password is on the server.
When you are filling out the web form with your password it's stored plain text in the web browser and accessible via JavaScript. At that point, a JavaScript function checks the requirements like length and then does the salting/hashing/etc and sends the result to the server.
You could probably come up with a convoluted scheme to check requirements server side, but it would weaken the strength of the hash so I doubt anyone does it this way. The down side of the client side checking is that a tenacious user could bypass the password requirements by modifying the JavaScript. But they could also just choose a dumb password within the requirements so it doesn't matter much... "h4xor!h4xor!h4xor!" Fits most password requirements I have seen but is probably tried pretty quickly by password crackers.
OP asked about validating specific characters of the password. Commenter then said it has to be stored in plain text for that to work. Then you commented about client-side validation. Which I really don't see has anything to do with the stuff before in this thread?
Commenter said it has to be plain text server side. You implied validating client side would allow storing hashed passwords and still validating individual characters of the password. Which I asked how that would work. Your answer to that seems to give a general view of password handling on forms and validation?