Encrypting individual characters from a password

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I am looking to implement a login form where the user is requested to
enter specific characters from their password rather than the full
password (ie like most online banks implement login forms).

The reason for this is to avoid a keylogger running on the client pc
from getting hold of the users password.

In order to check individual characters of a password i would need to
store each character separately in the DB.

This presents a security problem if the DB is accessed by a hacker as
even if the characters were hashed with a salt using MD5 or whatever,
it would be very easy to identify them, as there are only a small
range of possibilities [a-zA-Z0-9]

Assuming the hacker knew the salt and hashing method, they could
easily crack the password.

So my question is, has anyone thought of a good way to store
individual characters from a password in the DB.


Re: Encrypting individual characters from a password

Quoted text here. Click to load it

Hmmm, never ever saw that with dutch banks. Then again, with most dutch  
banks being logged in doesn't mean squat except you can see your history.  
For any transaction (or bulk of transactions) a non-reusable code must be  
given. These codes are usually given either on harcopy earlier, send as a  
text message to a phone, or created by some little gadget reading out the  
bankcard (I highly doubt the real security of the latter...).

Quoted text here. Click to load it

Nope. Why would that be needed?

Quoted text here. Click to load it

Store encrypted password (possibly with password length), on login  
attempt, decrypt password, split into characters, check characters.

Before you go overboard with security: what is it exactly users can do,  
that a hacker with access to the database can't do there?
Rik Wasmus

Re: Encrypting individual characters from a password

ChrisMHodgson@gmail.com wrote:
Quoted text here. Click to load it


If your server is hacked, they will have access to the database and the  
code you use to encrypt/decrypt passwords.  And there's nothing you can  
do about it except keep your system from being hacked.

That's why one-way hashes are so popular - even if your system does get  
hacked, they can't decrypt the passwords.  However, in a case such as  
yours, it won't work well, as you noted.

Another consideration is will people actually count out their password  
to get the right character?  I suspect most people won't bother.

You seem to be wanting perfect security.  There is no such thing.  SSL  
works well for communications, but if the server or client is hacked,  
there's not a lot you can do.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline