Partial Passwords and Keystroke Loggers

By Paladion

August 14, 2005

We recently tested an application that asked the user for random parts of the password during each login: "Please enter the 3rd, 6th and 1st letter of your password". The objective of asking partial passwords is to prevent keystroke loggers from stealing the password.

That's good protection from keystroke loggers, but they introduce a new level of complexity in password storage.

Ideally, only the hashes of passwords should be stored in the database, not the password directly as we discussed in Palisade last year. Hashes are irreversible, so not even an administrator can deduce the password from the hashes.

Partial passwords, however, complicate things a bit. It's not enough to store the hash of the full password anymore, instead one has to either store the password itself, or the hashes of different combinations of each password. And it's non-trivial to store hashes of umpteen combinations of variable length passwords.

Suffice it to say that this is a design tradeoff that one has to chose between carefully.

Tags: Uncategorized