Partial Passwords and Keystroke Loggers

Paladion
By Paladion

August 14, 2005

We recently tested an application that asked the user for random parts of the password during each login: "Please enter the 3rd, 6th and 1st letter of your password". The objective of asking partial passwords is to prevent keystroke loggers from stealing the password.

That's good protection from keystroke loggers, but they introduce a new level of complexity in password storage.

Ideally, only the hashes of passwords should be stored in the database, not the password directly as we discussed in Palisade last year. Hashes are irreversible, so not even an administrator can deduce the password from the hashes.

Partial passwords, however, complicate things a bit. It's not enough to store the hash of the full password anymore, instead one has to either store the password itself, or the hashes of different combinations of each password. And it's non-trivial to store hashes of umpteen combinations of variable length passwords.

Suffice it to say that this is a design tradeoff that one has to chose between carefully.


Tags: Uncategorized

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset