Solved

Storing users passwords

Posted on 2008-06-11
4
227 Views
Last Modified: 2010-04-11
I am currently designing a system that involves customer logins.  One possible login step is entering 3 random chars from the password.

I know typically. passwords are stored as a hash.  However, it is impossible to use 3 random chars with this method.  Can anyone tell me how the passwords should be stored without storing them as plain text?
0
Comment
Question by:benmanning
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 21763353
So you want "Two-Factor" authentication... there are a number of ways to do this. While it's a good second measure, with phishing and man-in-the middle, it's not a guarantee, but I feel it adds to the security somewhat. I recommend reading: http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
For your system to ask for 3 random characters from the users password, it should, naturally ask for those first, and the password second. You can store a password in a reversible encryption, and there are other novel methods people are trying for two-factor auth, similar to "captcha" those squiggly text boxes no human can read: http://www.popsci.com/files/imagecache/article_image_large/files/articles/google_captchas_485.jpg
Automated systems are better at solving those than we are, but they have more trouble with questions, like
what is two + 2? or this is a picture of an... "owl" this was made more popular by "kittenauth" where you pick the pictures of kittens http://www.mattwardman.com/blog/wp-content/uploads/20070614-kittenauth-screenshot-1.jpg
http://www.schneier.com/blog/archives/2006/04/kittenauth_1.html
-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 21777432
> .. to use 3 random chars with this method.
no, except brute force
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now