Partial Passwords and Keystroke Loggers

We recently tested an application that asked the user for random parts of the password during each login: “Please enter the 3rd, 6th and 1st letter of your password”. The objective of asking partial passwords is to prevent keystroke loggers from stealing the password.

That’s good protection from keystroke loggers, but they introduce a new level of complexity in password storage.

Ideally, only the hashes of passwords should be stored in the database, not the password directly as we discussed in Palisade last year. Hashes are irreversible, so not even an administrator can deduce the password from the hashes.

Partial passwords, however, complicate things a bit. It’s not enough to store the hash of the full password anymore, instead one has to either store the password itself, or the hashes of different combinations of each password. And it’s non-trivial to store hashes of umpteen combinations of variable length passwords.

Suffice it to say that this is a design tradeoff that one has to chose between carefully.

Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.

Add yours.closed for this post.