I have seen some websites, particularly banking sites, that request you to definitely enter this (for instance). Sometimes they request with this to prove my identity over the telephone.
- The second character of the password
- The fifth character of the password
- The sixth character of the password
To get this done, a hashing formula will not work, wouldn't it? Surely something that needs to be as secure like a bank might have a means of storing the not-decryptable passwords?
Yes this could work without holding the plain text version of the password. Simply, whenever you initially set passwords, the financial institution will hash the different combinations it'll ever request for, and store individuals hashes. This is easy to implement, no matter whether you've got a fixed length password (i.e. a Flag) or perhaps a variable length one. These hashes could be saved inside a preset number of posts within the table associated with the consumer, or like a simple 3 column table - ID (the main key), UserId, Hash, and there's one row for every mixture of n figures inside your password.
I've doubts concerning the effectiveness of the method over requesting the entire password though... maybe someone includes a discuss that?
It might be much less surprising, if (some) banks (or any other large companies) really saved plain-text passwords, or ROT13'd ones, as well as double ROT13'd...
It's most likely a bad item to go over with an open forum, but what's to prevent them from placing your best figures right into a memory held, decrypted, copy of the memorable phrase or word in the appopriate locations, encrypting it and carrying out a binary comparison around the result?
I'd imagine they'd possess some type of private key system for decrypting (possibly even a personal key per account, to enhance security)...
They might just like easily have a HASH from the single figures could not they?
You don't really need to use a 1-way HASH. You can just like easily make use of a two-way cypher, should you be to key was secure. Within this situation they might easily keep your cypher on systems not accessible in the internet.