|
|
|
|
|
|
by robbmorganf
1708 days ago
|
|
|
Yikes, I didn't know that. Seems like I need to make my fidelity password 6 times longer. Does this also mean they probably store passwords in clear text? Because there's no way to normalize the numeric passwords back to letters and symbols. |
|
|
They can generate the phone password on the client side and send both passwords to be salted, hashed, and stored separately.
That much seems OK.
But the salted+hashed phone password is incredibly weak. It can be brute forced readily unless it is very long.
From the brute forced phone password, the regular password can be brute forced as well, since the digits of the phone password tremendously constrain the characters of the regular password.
It's very much like the Hollywood hacking where the hackers progressively lock digits of your password and eventually discover the whole thing.