Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There is a South African bank (absa.co.za) that not only uses the online keyboard thing, but requires you to type in a randomized subset of your password. For example. if your password is "Password" it would display something like 257 and you are need to type "awr" (the 2nd, 5th and 7th letters of the password) to log in.


Unless they're storing hashes of every combination of characters in your password... seems pretty indicative of them storing the password in plain text.


Which is not that big a deal if you have a password manager with unique, randomly generated passwords. Exactly the scenario they're preventing...

And just in case it's not a joke, storing hashes of every subset is laughably easy to crack so that's plaintext-equivalent.


If hackers have access to the database of the bank then there is more serious issues than your password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: