There is an internet banking website that I use a lot and its way of authenticating users is to ask about their security question and only enter 3 random characters of their password.

I have always wondered how they store users' passwords on their system, surely it is not plain text? or is it? Also it cannot be hashed because the characters that are required for logging in changes each time. What is the idea behind it?

CodePudding user response：

These kind of authentication systems are intended to provide protection against keyloggers/traffic interception, on the basis that if the login details are intercepted, the attacker only gets a few characters of the password rather than the whole thing. Sadly large parts of the banking industry still use them rather than just implementing actual MFA (although that seems to be slowly improving).

You're correct that it's not possible to use this kind of authentication if the password is hashed, however that doesn't necessarily mean that it has to be stored in plain text.

Assuming that they've implemented it well, the password should be stored encrypted, rather than in plain text. There might also be an element of separation, so that the system storing the passwords is separate from the frontend that the user is interacting with, so you could have an authentication flow like this:

• The frontend makes a query to the authentication microservice with the username/ID.
• The microservice responds with which three characters it wants.
• The user is asked to input the characters.
• The frontend sends these three characters to the microservice.
• The microservice responds with a success or failure.

This way, a compromise of the frontend doesn't directly expose the users' password, and you can implement controls (such as logging and rate limiting) on the authentication microservice to help identify and protect from a compromised frontend.