Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Possibly or they could store N salted hashes, one for one of the N permutations of a mask over the password character positions. This basically splits the end user password into N passwords with smaller entropy but this can be mitigated by requiring high entropy for the original password.


Making it insanely easy to brute force if you have access to the hashes

(if they ask for 2 characters, assuming a-zA-Z0-9 you're talking maybe 4k permetations, and then you know 2 characters)

A 10 character 64 symbol phrase would take 64^10, or 1e18 guesses

5 lots of 2 characters 64 symbols would take 5*64^2, or 20k guesses


If the "sub" passwords are 2 char long then then they have way too less entropy. For this to that make any sense it must use a sizable subset of the full password (which must be longer than usual to accommodate for that.

And all this to protect for keyloggers. Probably a hardware token second factor is more effective.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: