Hacker News new | ask | show | jobs
by tjoff 4829 days ago
The client, or server, could just concatenate all the chars and then calculate whatever hash you desire of the result. Or?

Yes, if the machine is compromised the attacker could do it as well but the point was to prevent keyloggers specifically.
1 comments
godfreykfc 4829 days ago
If I understand correctly, you are only asked to fill in a few of the 8 characters. (I have seen this before.)

You are presented with

* * [ ] * [ ] * * [ ]

and you are supposed to submit

* * [3] * [5] * * [8]

so neither side would have enough information to reconstruct the full password based on the user's input alone.

link