Solved

Storing users passwords

Posted on 2008-06-11
4
228 Views
Last Modified: 2010-04-11
I am currently designing a system that involves customer logins.  One possible login step is entering 3 random chars from the password.

I know typically. passwords are stored as a hash.  However, it is impossible to use 3 random chars with this method.  Can anyone tell me how the passwords should be stored without storing them as plain text?
0
Comment
Question by:benmanning
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 21763353
So you want "Two-Factor" authentication... there are a number of ways to do this. While it's a good second measure, with phishing and man-in-the middle, it's not a guarantee, but I feel it adds to the security somewhat. I recommend reading: http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
For your system to ask for 3 random characters from the users password, it should, naturally ask for those first, and the password second. You can store a password in a reversible encryption, and there are other novel methods people are trying for two-factor auth, similar to "captcha" those squiggly text boxes no human can read: http://www.popsci.com/files/imagecache/article_image_large/files/articles/google_captchas_485.jpg
Automated systems are better at solving those than we are, but they have more trouble with questions, like
what is two + 2? or this is a picture of an... "owl" this was made more popular by "kittenauth" where you pick the pictures of kittens http://www.mattwardman.com/blog/wp-content/uploads/20070614-kittenauth-screenshot-1.jpg
http://www.schneier.com/blog/archives/2006/04/kittenauth_1.html
-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 21777432
> .. to use 3 random chars with this method.
no, except brute force
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question