2009 December : Dragons in the Algorithm


Password in Pieces

I came across the following question on reddit:

My bank on the online banking login instead of having a password field it presents you with 3 password fields 1 character each where it asks you for 3 characters from your password, chosen randomly. E.g. the 2nd, 4th and 7th.

I wanted to respond to this, because not only is it an incredibly misguided attempt at security which seriously weakens actual security, it also sounds familiar. Because a few months ago my employer considered doing something just like this. Let me recount the story more…

[Here there should be links to more entries, but WordPress is a pain and I can't make it work.]