|
|
Posted by ChrisMHodgson on 10/14/07 14:40
Hi
I am looking to implement a login form where the user is requested to
enter specific characters from their password rather than the full
password (ie like most online banks implement login forms).
The reason for this is to avoid a keylogger running on the client pc
from getting hold of the users password.
In order to check individual characters of a password i would need to
store each character separately in the DB.
This presents a security problem if the DB is accessed by a hacker as
even if the characters were hashed with a salt using MD5 or whatever,
it would be very easy to identify them, as there are only a small
range of possibilities [a-zA-Z0-9]
Assuming the hacker knew the salt and hashing method, they could
easily crack the password.
So my question is, has anyone thought of a good way to store
individual characters from a password in the DB.
thanks
Chris
Navigation:
[Reply to this message]
|