Hacker News new | ask | show | jobs
by brassic 3513 days ago
I have to use two passwords to login to Lloyds bank. One conventional password (which is presumably stored salted and hashed) and one where I have to enter characters from three positions they choose. The latter is intended to mitigate the risk of using your account from a vulnerable computer. The former takes care of vulnerabilities on their end (as far as any password can).
1 comments
Symbiote 3513 days ago
Could they implement something like:

Password: money

Secret word: ABCD

If they're going to ask for two characters from the secret word, they could then hash

  saltmoneyAB
  saltmoneyAC
  saltmoneyAD
  saltmoneyBC
  saltmoneyBD
  saltmoneyCD
and check against the relevant one.
link