Illuminati-R-Us

[Enzo]

I know better than to ASK my bank...

Just wondering, when I try to log onto my bank or a credit card site or something, and it asks for a password, do the routines react different if there is a minor error or typo as opposed to missing it completely?

I mean if I forget to capitalize my password or it is off one digit, do they typically spit me into some special routine to check? Or is it simple pass/fail. Not expecting to be allowed in "anyway." But maybe it pops up some reminder to enter carefully or some other subtle nudge to pay closer attention.

If I enter the wrong password, I do expect "unrecognized password" messages.

[Lance]

Yeah, it's simple pass/fail. If they gave you hints they could be helping hackers trying to steal your millions.

[wring]

But, if I miss it slightly, like having the all caps button on, for example, that's suggestive that it's really me, especially if it's logged in exactly correctly w/in seconds, whereas if it's a big fail, and another big fail, that should suggest a hacker. One would think that would be an important distinction.

[Мастер]

But, if I miss it slightly, like having the all caps button on, for example, that's suggestive that it's really me, especially if it's logged in exactly correctly w/in seconds, whereas if it's a big fail, and another big fail, that should suggest a hacker. One would think that would be an important distinction.

Some systems give an "all caps" warning when the caps-lock key is pressed, regardless of your actual password. (Maybe it is all caps.)

When I log into my bank's web site, there are two fields. One is for the number from my ATM card, and the other for the PIN. However, as soon as I click in the field for PIN, a keypad appears on the screen, with the digits in a radnom order.

[Halcyon Dayz, FCD]

When I log into my bank's web site, there are two fields. One is for the number from my ATM card, and the other for the PIN. However, as soon as I click in the field for PIN, a keypad appears on the screen, with the digits in a radnom order.

Was that intentional? :P

To log in with my bank I need to enter the 9 (or 10) digit account number, the 4 digit pass number, and an 8 digit login-code generated by a little device, which is different every time, when I slide my card into it and enter the PIN.
When I want to make a transfer, a control number is given which I enter into the device to produce a signature code.
So the PIN is never transmitted.

[pmcolt]

Most systems* will not store your actual password. They will store only a mathematical hash of your password. To verify the password that you typed, they will hash your input using the same hash function, and compare it to the hash in their database.

The hash functions return dramatically different values even for single-character changes, so there would be no way for them to tell that the password you typed was 'almost' correct.

(This is meant to prevent anyone from stealing your password. If someone manages to get a dump of their user information table, all they have is a nearly-useless hash instead of a clear password.)



* This may be wishful thinking. I've worked with systems that do things this way, and I hope that whoever built my bank's authentication system was at least as smart as the open-source developers who provided much of the free software we use at work.

I've also worked with systems where passwords were stored in the clear. My favorite encounter was a system that stored passwords in a file called "passwords.txt", but concealed them using ROT-13. My manager asked me to investigate how the machine operators kept figuring out the administrative passwords.

[Enzo]

I think MActep hit it with his ALL CAPS detector. It noted that condition and suspected it was not intended and gives a heads up, without actually considering the password involved. That would be sufficient to create the sense of a different response that I feel without the very unlikely "hint" action.

[Lance]

but concealed them using ROT-13

They should have used the doublely secure ROT-26.

[Мастер]

Welcome back, pmcolt!

My favorite encounter was a system that stored passwords in a file called "passwords.txt", but concealed them using ROT-13. My manager asked me to investigate how the machine operators kept figuring out the administrative passwords.

So of course you said you would need six months and a substantial budget to investigate :)

[Мастер]

When I log into my bank's web site, there are two fields. One is for the number from my ATM card, and the other for the PIN. However, as soon as I click in the field for PIN, a keypad appears on the screen, with the digits in a radnom order.

Was that intentional? :P

[Pee-wee Herman voice]I meant to do that![/Pee-wee Herman voice]

To log in with my bank I need to enter the 9 (or 10) digit account number, the 4 digit pass number, and an 8 digit login-code generated by a little device, which is different every time, when I slide my card into it and enter the PIN.
When I want to make a transfer, a control number is given which I enter into the device to produce a signature code.
So the PIN is never transmitted.

My system is, I enter the sixteen digit number of my ATM card (there may be more than one option here). Then, on the randomised keypad, I put in the six-digit PIN. That gets me to where I can see account balances. If I want to do anything, then I will be sent (via my mobile) a six-digit code, which must be entered at the website, and is valid for two minutes.

I am finding this system to be somewhat limiting at the moment, because my mobile phone does not seem to be set up to work outside the country (need to look into this). And I live in a small country. Even smaller than yours.