Passwords

Post about your cool new gadgets and toys. Ask other users for help with techy problems.

Passwords

Postby Enzo » Thu Apr 05, 2012 9:53 am

I know better than to ASK my bank...

Just wondering, when I try to log onto my bank or a credit card site or something, and it asks for a password, do the routines react different if there is a minor error or typo as opposed to missing it completely?

I mean if I forget to capitalize my password or it is off one digit, do they typically spit me into some special routine to check? Or is it simple pass/fail. Not expecting to be allowed in "anyway." But maybe it pops up some reminder to enter carefully or some other subtle nudge to pay closer attention.

If I enter the wrong password, I do expect "unrecognized password" messages.
User avatar
Enzo
Enlightened One
Enlightened One
Chortling with glee!
 
Posts: 11956
Joined: Thu Feb 23, 2006 5:30 am
Location: Lansing, Michigan

Postby Lance » Thu Apr 05, 2012 11:21 am

Yeah, it's simple pass/fail. If they gave you hints they could be helping hackers trying to steal your millions.
No trees were killed in the posting of this message.
However, a large number of electrons were terribly inconvenienced.

==========================================

Build a man a fire and he will be warm for a few hours.
Set a man on fire and he will be warm for the rest of his life.
User avatar
Lance
Administrator
Administrator
Cheeseburger Swilling Lard-Ass who needs to put down the remote and get off the couch.
 
Posts: 91440
Joined: Thu May 12, 2005 5:51 pm
Location: Oswego, IL

Postby wring » Thu Apr 05, 2012 5:28 pm

But, if I miss it slightly, like having the all caps button on, for example, that's suggestive that it's really me, especially if it's logged in exactly correctly w/in seconds, whereas if it's a big fail, and another big fail, that should suggest a hacker. One would think that would be an important distinction.
User avatar
wring
Illuminatus
Illuminatus
Quackers
Mother Ducker
 
Posts: 1730
Joined: Thu Sep 17, 2009 7:08 pm
Location: Michigan

Postby Мастер » Thu Apr 05, 2012 6:49 pm

wring wrote:But, if I miss it slightly, like having the all caps button on, for example, that's suggestive that it's really me, especially if it's logged in exactly correctly w/in seconds, whereas if it's a big fail, and another big fail, that should suggest a hacker. One would think that would be an important distinction.


Some systems give an "all caps" warning when the caps-lock key is pressed, regardless of your actual password. (Maybe it is all caps.)

When I log into my bank's web site, there are two fields. One is for the number from my ATM card, and the other for the PIN. However, as soon as I click in the field for PIN, a keypad appears on the screen, with the digits in a radnom order.
They call me Mr Celsius!
User avatar
Мастер
Moderator
Moderator
Злой Мудак
Mauerspecht
 
Posts: 23959
Joined: Tue Aug 02, 2005 2:56 pm
Location: Far from Damascus

Postby Halcyon Dayz, FCD » Thu Apr 05, 2012 11:39 pm

Mactep wrote:When I log into my bank's web site, there are two fields. One is for the number from my ATM card, and the other for the PIN. However, as soon as I click in the field for PIN, a keypad appears on the screen, with the digits in a radnom order.

Was that intentional? :P

To log in with my bank I need to enter the 9 (or 10) digit account number, the 4 digit pass number, and an 8 digit login-code generated by a little device, which is different every time, when I slide my card into it and enter the PIN.
When I want to make a transfer, a control number is given which I enter into the device to produce a signature code.
So the PIN is never transmitted.
Hatred is a cancer upon the world.
It rots the mind and blackens the heart.
User avatar
Halcyon Dayz, FCD
Enlightened One
Enlightened One
Snarling Rabid Green-Communist Big-Government Tree-Hugger Euroweasel
 
Posts: 32241
Joined: Sun Jun 26, 2005 1:36 pm
Location: Nederland - Sol III

Postby pmcolt » Wed Apr 11, 2012 2:31 am

Most systems* will not store your actual password. They will store only a mathematical hash of your password. To verify the password that you typed, they will hash your input using the same hash function, and compare it to the hash in their database.

The hash functions return dramatically different values even for single-character changes, so there would be no way for them to tell that the password you typed was 'almost' correct.

(This is meant to prevent anyone from stealing your password. If someone manages to get a dump of their user information table, all they have is a nearly-useless hash instead of a clear password.)



* This may be wishful thinking. I've worked with systems that do things this way, and I hope that whoever built my bank's authentication system was at least as smart as the open-source developers who provided much of the free software we use at work.

I've also worked with systems where passwords were stored in the clear. My favorite encounter was a system that stored passwords in a file called "passwords.txt", but concealed them using ROT-13. My manager asked me to investigate how the machine operators kept figuring out the administrative passwords.
Best before June 2000
User avatar
pmcolt
Puppet Master
Puppet Master
 
Posts: 2922
Joined: Wed Feb 22, 2006 11:40 pm
Location: North Carolina

Postby Enzo » Wed Apr 11, 2012 8:43 am

I think MActep hit it with his ALL CAPS detector. It noted that condition and suspected it was not intended and gives a heads up, without actually considering the password involved. That would be sufficient to create the sense of a different response that I feel without the very unlikely "hint" action.
User avatar
Enzo
Enlightened One
Enlightened One
Chortling with glee!
 
Posts: 11956
Joined: Thu Feb 23, 2006 5:30 am
Location: Lansing, Michigan

Postby Lance » Wed Apr 11, 2012 12:17 pm

pmcolt wrote:but concealed them using ROT-13

They should have used the doublely secure ROT-26.
No trees were killed in the posting of this message.
However, a large number of electrons were terribly inconvenienced.

==========================================

Build a man a fire and he will be warm for a few hours.
Set a man on fire and he will be warm for the rest of his life.
User avatar
Lance
Administrator
Administrator
Cheeseburger Swilling Lard-Ass who needs to put down the remote and get off the couch.
 
Posts: 91440
Joined: Thu May 12, 2005 5:51 pm
Location: Oswego, IL

Postby Мастер » Wed Apr 11, 2012 12:21 pm

Welcome back, pmcolt!

pmcolt wrote:My favorite encounter was a system that stored passwords in a file called "passwords.txt", but concealed them using ROT-13. My manager asked me to investigate how the machine operators kept figuring out the administrative passwords.


So of course you said you would need six months and a substantial budget to investigate :)
They call me Mr Celsius!
User avatar
Мастер
Moderator
Moderator
Злой Мудак
Mauerspecht
 
Posts: 23959
Joined: Tue Aug 02, 2005 2:56 pm
Location: Far from Damascus

Postby Мастер » Sun Apr 22, 2012 9:43 pm

Halcyon Dayz, FCD wrote:
Mactep wrote:When I log into my bank's web site, there are two fields. One is for the number from my ATM card, and the other for the PIN. However, as soon as I click in the field for PIN, a keypad appears on the screen, with the digits in a radnom order.

Was that intentional? :P


[Pee-wee Herman voice]I meant to do that![/Pee-wee Herman voice]

Halcyon Dayz, FCD wrote:To log in with my bank I need to enter the 9 (or 10) digit account number, the 4 digit pass number, and an 8 digit login-code generated by a little device, which is different every time, when I slide my card into it and enter the PIN.
When I want to make a transfer, a control number is given which I enter into the device to produce a signature code.
So the PIN is never transmitted.


My system is, I enter the sixteen digit number of my ATM card (there may be more than one option here). Then, on the randomised keypad, I put in the six-digit PIN. That gets me to where I can see account balances. If I want to do anything, then I will be sent (via my mobile) a six-digit code, which must be entered at the website, and is valid for two minutes.

I am finding this system to be somewhat limiting at the moment, because my mobile phone does not seem to be set up to work outside the country (need to look into this). And I live in a small country. Even smaller than yours.
They call me Mr Celsius!
User avatar
Мастер
Moderator
Moderator
Злой Мудак
Mauerspecht
 
Posts: 23959
Joined: Tue Aug 02, 2005 2:56 pm
Location: Far from Damascus


Return to Computers and Gadgets

Who is online

Users browsing this forum: No registered users and 12 guests

cron