Hacker News new | ask | show | jobs
by sigden 4033 days ago
What legitimate use case is there for implementing a 2-way encryption method over a hash function for passwords?
2 comments
paulhauggis 4032 days ago
I never said it was the best method to use over a hash function. However, it's much better than plain text and it would be unethical to say the company didn't have any security of the original poster doesn't know for sure.
link
ryanlol 4033 days ago
Customer support. A human can then verify the user even if they can only remember a part of the password.
link
stephenr 4033 days ago
Sounds like a security flaw ripe for social engineering
link
ryanlol 4033 days ago
Customer support by itself tends to be a security flaw ripe for social engineering.
link
stephenr 4033 days ago
Phone support can be tricky yes, but there are other ways to identify the caller without storing their password in plaintext
link
ryanlol 4033 days ago
Callbacks? Users PII? There's really no good ways to do phone verification. You can't use any kind of shared secrets as people forget those.
link
stephenr 4033 days ago
My bank uses an automated system to verify a pin (ie the operator transfers you to confirm identity then you come back)

But it also depends on the realm. Before the saas craze, a lot more support was performed in-house meaning you didn't have the same scale of problem.

link