|
|
Posted by Rik Wasmus on 10/14/07 14:49
On Sun, 14 Oct 2007 16:40:41 +0200, <ChrisMHodgson@gmail.com> wrote:
> I am looking to implement a login form where the user is requested to
> enter specific characters from their password rather than the full
> password (ie like most online banks implement login forms).
Hmmm, never ever saw that with dutch banks. Then again, with most dutch
banks being logged in doesn't mean squat except you can see your history.
For any transaction (or bulk of transactions) a non-reusable code must be
given. These codes are usually given either on harcopy earlier, send as a
text message to a phone, or created by some little gadget reading out the
bankcard (I highly doubt the real security of the latter...).
> The reason for this is to avoid a keylogger running on the client pc
> from getting hold of the users password.
>
> In order to check individual characters of a password i would need to
> store each character separately in the DB.
Nope. Why would that be needed?
> This presents a security problem if the DB is accessed by a hacker as
> even if the characters were hashed with a salt using MD5 or whatever,
> it would be very easy to identify them, as there are only a small
> range of possibilities [a-zA-Z0-9]
>
> Assuming the hacker knew the salt and hashing method, they could
> easily crack the password.
Store encrypted password (possibly with password length), on login
attempt, decrypt password, split into characters, check characters.
Before you go overboard with security: what is it exactly users can do,
that a hacker with access to the database can't do there?
--
Rik Wasmus
Navigation:
[Reply to this message]
|