[isostatic]

"Not just the 4th and 17th character - the whole thing"

If any company asks for the 4th character of your password, that means they are storing your password in a reversible fashion, and they should be dumped.

The online account should never be logged in by anyone other than the owner. The person on the phone, if their job requires it, should have read/write access to your account, but that should be audited as "Joe Bloggs" accedsing the account

[evanb]

It's hard to dump the water company.

[ben_w]

I think, in the UK, the only way to dump a water company is to move house. Regional monopoly?

[317070]

In the case of Thames water, yes. Leaving London is the only option.

[wdb]

You can switch water providers or more said the water utility company billing you

[ben_w]

In which country? https://www.ofwat.gov.uk/households/your-water-company/chang...

[evanb]

Presumably in most other places with municipal water infrastructure too!

[im3w1l]

Using a password that is unique (and highly dissimilar from any other password of yours), can prevent almost all harm from having it stored in plaintext.

[SketchySeaBeast]

While that is true, that's blaming the user for choosing bad passwords, and not the system for keeping the systems safe, which is an implicit guarantee - I'm giving you this secret key, your job is to keep it safe.

The only reason we need unique passwords is because the system can't hold up its end of the bargain.

Edit: And in hindsight, I was wrong in calling it a bad password from the user - the only reason it's necessarily bad is because it has been compromised. If I use the same sufficiently complex brute-force proof password everywhere, we can safely say I've held up my bargain, but a single data breach completely removes that otherwise impenetrable defense.

[isostatic]

If it's stored in a reversable fashion, it means somebody can pretend to be me, therefore auditing is meaningless.

[mstade]

First Direct (a UK bank, subsidiary of HSBC I believe) also does this, and it drives me nuts. Terrible bank, never get an account with them.

[CM30]

Natwest also does this with its login system (the whole 'enter the X, X and Xth characters from your password' thing).

Seems like it may be an unfortunate 'trend' for banking services in this country.

[wdb]

LLoyds the same. I think it's a UK thing

[tonyedgecombe]

And TSB.

[thehappypm]

That's not necesarily true. They could store a full password hash and a hash of the 4th and 17th character separately.

[pornel]

Hashes can't protect the content if it's feasible to enumerate all possible values of the content.

You can't hide individual letters of alphabet with a hash. Not even with a salt and an expensive hash. It's a hopeless case where a brute-force attack takes only 26 times (or 676 for a pair of letters) longer than a comparison you do during normal operation.

BTW: it's also not possible to use hashes to hide/anonymize phone numbers or IP addresses. The attacker can generate hashes of all possible values and see which one is it.

[thehappypm]

Let's say my password is NmsWQlWj1kzS534ojygJ. The 4th and 17th characters are W and j. Even if those two characters are stored in plain text, how exactly does that compromise my password?

[brycesbeard]

They could hash the full password and just store the two characters in clear text, no?

[tonyedgecombe]

A hash of individual characters would be susceptible to a rainbow attack.

[heavenlyblue]

Not if they use salt

[nucleardog]

Okay, so now it's a brute which requires, at most, a couple hundred hashes (or less for a typical user's character set). Even for a very expensive algorithm, this is an extremely short operation.

[trevyn]

Maybe they’re just storing the 4th character in a reversible fashion. ;-)

[rumanator]

Ah, the password length of 1.

[robk]

Lol try dumping a monopoly