Reply to post: Re: Dunce Cap tip

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Anonymous Coward
Anonymous Coward

Re: Dunce Cap tip

Yes and no. It's security 101 to not store passwords in plain text on a server. Using salted hashes is just one technique to do so. You can be pretty confident they're not storing them in plain text. PCI DSS is clear (hah) on the issue: "Render all passwords unreadable during transmission and storage on all system components using strong cryptography"

However you can also be pretty confident they're not hashing them - these systems are old and would have balked at the space constraints implied by hashing + salting all the partial password combinations. They could but probably don't use a secret sharing scheme to test if the subcomponents of the password provided match the password.

What they're probably doing is just encrypting the password. Which protects against most but not all of the same things as hashing. They're hopefully doing it in an HSM, which provides pretty robust physical protections against the password ever being retrieved.

So, you know, don't re-use your banking passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019