Hacker News new | ask | show | jobs
by ookware 4997 days ago
I believe NatWest and Halifax must do the same as they both ask you to "input characters x, y and z from your password" which I don't see how they could do without needing plain text storage. Of course I await being told how I am wrong with this!
2 comments
pja 4997 days ago
Yup. Logging in to NatWest requires that you know your customer number, 3 numbers from a login PIN and 3 letters from a password.

They do use 2-factor authorisation for any new payees, so it's not totally insecure.

On the other hand, their recent 'get cash from the nearest ATM with a code we send to your phone if you've lost your wallet' app was soundly compromised by criminal gangs within days, and the service had to be pulled entirely. They're still advertising it on the homepage, but when you click through it says "We're sorry. Get Cash is not available at the moment. We are currently updating this service to increase the level of security around it."

Reading the blurb for the Get Cash service made a likely compromise route immediately obvious to me: it seems very likely that anyone who's had sight of your debit card could register an arbitrary phone & extract cash from your account, because the only details needed to verify your phone were on the card, or easily guessable (NatWest customer numbers are extremely predictable unfortunately).

If there was anyone obviously better I'd be dumping NatWest, but it's not obvious that any of the other major banks are much of an improvement :(

link
bruceboughton 4997 days ago
This is a separate code to your password, and there is no reason each letter could not also be stored as a hash after being salted with some personal information.
link
nucleardog 4997 days ago
> there is no reason each letter could not also be stored as a hash after being salted with some personal information.

There's no technical reason, but you may as well just store it as plain text.

Even assuming everyone used all the available Unicode symbols (~110,000 according to Wikipedia) an eight character password would only require calculating 880,000 hashes in order to brute force every character.

Assuming a more realistic A-Za-z0-9, an eight character password is an absolutely pathetic 496 hashes. A 1,024 character password (good luck remembering that) is still a paltry 63,488.

For comparison, hashed as a whole that same A-Za-z0-9 at eight characters is 218,340,105,584,896 (62^8).

Hashing the characters individually changes adding more characters from exponentially increasing the work involved to linearly. It's good as useless.

link