Encrypting individual characters from a password

Hi

I am looking to implement a login form where the user is requested to
enter specific characters from their password rather than the full
password (ie like most online banks implement login forms).

The reason for this is to avoid a keylogger running on the client pc
from getting hold of the users password.

In order to check individual characters of a password i would need to
store each character separately in the DB.

This presents a security problem if the DB is accessed by a hacker as
even if the characters were hashed with a salt using MD5 or whatever,
it would be very easy to identify them, as there are only a small
range of possibilities [a-zA-Z0-9]

Assuming the hacker knew the salt and hashing method, they could
easily crack the password.

So my question is, has anyone thought of a good way to store
individual characters from a password in the DB.

thanks
Chris

Re: Encrypting individual characters from a password

On Sun, 14 Oct 2007 16:40:41 +0200, wrote:
> I am looking to implement a login form where the user is requested to
> enter specific characters from their password rather than the full
> password (ie like most online banks implement login forms).

Hmmm, never ever saw that with dutch banks. Then again, with most dutch
banks being logged in doesn't mean squat except you can see your history.
For any transaction (or bulk of transactions) a non-reusable code must be
given. These codes are usually given either on harcopy earlier, send as a
text message to a phone, or created by some little gadget reading out the
bankcard (I highly doubt the real security of the latter...).

> The reason for this is to avoid a keylogger running on the client pc
> from getting hold of the users password.
>
> In order to check individual characters of a password i would need to
> store each character separately in the DB.

Nope. Why would that be needed?

> This presents a security problem if the DB is accessed by a hacker as
> even if the characters were hashed with a salt using MD5 or whatever,
> it would be very easy to identify them, as there are only a small
> range of possibilities [a-zA-Z0-9]
>
> Assuming the hacker knew the salt and hashing method, they could
> easily crack the password.

Store encrypted password (possibly with password length), on login
attempt, decrypt password, split into characters, check characters.

Before you go overboard with security: what is it exactly users can do,
that a hacker with access to the database can't do there?
--
Rik Wasmus

Re: Encrypting individual characters from a password

ChrisMHodgson@gmail.com wrote:
> Hi
>
> I am looking to implement a login form where the user is requested to
> enter specific characters from their password rather than the full
> password (ie like most online banks implement login forms).
>
> The reason for this is to avoid a keylogger running on the client pc
> from getting hold of the users password.
>
> In order to check individual characters of a password i would need to
> store each character separately in the DB.
>
> This presents a security problem if the DB is accessed by a hacker as
> even if the characters were hashed with a salt using MD5 or whatever,
> it would be very easy to identify them, as there are only a small
> range of possibilities [a-zA-Z0-9]
>
> Assuming the hacker knew the salt and hashing method, they could
> easily crack the password.
>
> So my question is, has anyone thought of a good way to store
> individual characters from a password in the DB.
>
> thanks
> Chris
>
>

Nope,

If your server is hacked, they will have access to the database and the
code you use to encrypt/decrypt passwords. And there's nothing you can
do about it except keep your system from being hacked.

That's why one-way hashes are so popular - even if your system does get
hacked, they can't decrypt the passwords. However, in a case such as
yours, it won't work well, as you noted.

Another consideration is will people actually count out their password
to get the right character? I suspect most people won't bother.

You seem to be wanting perfect security. There is no such thing. SSL
works well for communications, but if the server or client is hacked,
there's not a lot you can do.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================