How do websites which ask for the X, Y and Zth letter of my password avoid storing it in plain text?


This is better than I expected! I’ve learned things – such as the actual secure part of the process is the ‘Memorable Word’ that you also have to type in with the 1st, 3rd and 9th letter of your ‘password’. Use anything you can remember for the password, as it will likely be stored plain-text – use a password for the memorable word, as that’s actually encrypted.

Also – the internet is a terrible place for poor passwords.

In: Technology

There’s no guarantee that they aren’t. They very well might be. It only takes one lazy programmer or someone on an “off” day to set to store in plain text.

Remember the site who told you whose password you typed when you tried to create one that was already in use?

Security standards of websites differ greatly. Thats why you should use different passwords everywhere, some might store it openly in plaintext, some might even be more lax about your security.

The whole point of encrypting passwords *(that is, seeding and hashing them and others)* is that the then produced value cannot be converted back to the password. Okay theoretically it’s possible but it’d take centuries or millennia to do that.

So yea, if they ask you for the 7^th letter of your password they have the 7^th letter saved in their databases.

As far as I know there isn’t really a way for them not to store the password as either plain text or some sort of reversible encryption, which is not any better.

The normal method of just storing a hash of a password does not really work with this idea.

I think any website who does this is already deeply flawed. Some websites might try to use such a system to prevent key-loggers from picking up the users password, but it is still horribly insecure and basically tries to break a simple short password into a makeshift TAN-list. Where each transaction is protected by a different “password”.

It is all very stupid and insecure and I would stay far away from any site that tries to secure itself this way especially if the thing being secured equates to real money in some way.

Hi, programmer who recently implemented this here.
If they ask you for characters from your password, they are storing the password insecurely. Current standard for password storage is hashed with a 64+ character randomly generated string this makes it so that there is no way to get back to the original password. (There is however it takes current technology many years and has will have false positives)
What should happen is they will also store along side the password a security word. This is shouod strongly encrypted. (Not hashed) because it is encrypted the original value can be compared against. It is this that should be used for character checks. (If possible only decrypting the characters that are wanted.)