Author Topic: strange password requirements  (Read 5465 times)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
strange password requirements
« on: January 17, 2006, 01:13:16 AM »
Hi everyone,

I received an email from Dominic Martin asking this question:

Quote
Hi Eric,

How does PasswordMaker handle online bank logins that don't want the complete password, just a few characters from it? The characters requested change everytime that you log in.

[...] my bank does this. ttp://www.firstdirect.co.uk. When you logon to their personal Internet banking, you're asked for two numbers supplied by the bank. They will then ask you for three characters (chosen randomly) out of your password.

It feels like I've come across others but I can't think of anymore for the moment.

Regards,

Dominic

Can anyone think of how I might modify PasswordMaker so password auto-populate works with  sites like these?

Thanks,
Eric
« Last Edit: January 17, 2006, 01:15:33 AM by Eric H. Jung »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
strange password requirements
« Reply #1 on: January 17, 2006, 03:01:47 AM »
I can't see a way to do so.
"I'm not drunk, just sleep deprived."

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
strange password requirements
« Reply #2 on: January 17, 2006, 01:28:36 PM »
Just so I understand this...

The bank doesn't care *which* three characters - in other words, they aren't asking you to match three characters against a 'picture' composite of the three characters they are asking for, or something like that? Just any three characters?

That's a new one on me...

They probably also don't allow non alpha-numeric characters in their passwords. Most of the online banks are a joke... they implement bizarre login processes like this, but don't allow you to use strong passwords.

Anyway, as to the question...

I think the simplest solution by far is to simply recommend to Dominic to just delete all but three characters after the password has been populated, then click 'Submit'. If the password check really doesn't care which characters, this should work fine - at least, it would be *much* easier than writing code to handle this, but, since you asked...

Sure, I can think of a way to do it, as I'm sure can you - just add an option 'Limit Length of INPUT Password to: ' next to the 'Password Length' field, with a sub-option 'Randomize' - but obviously its not worth the effort, unless this becomes common practice.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
strange password requirements
« Reply #3 on: January 17, 2006, 04:07:20 PM »
It's my understanding they ask for 3 very specific characters of the password, and each time it's different. Dominic wrote:

Quote
The characters requested change everytime that you log in.

I think they must do something like this. Let's say your password is ILOVEPANCAKES. Each time you login, you probably are presented with something like:

Quote
Please fill in the missing characters of your password:
IL*VEP*ANC*AKES
I don't see how PasswordMaker can auto-populate something like this when the missing characters are randomly chosen each time :(

Quote
Most of the online banks are a joke.
FWIW, he's in England. Websites of banks in Europe generally have much stronger credential requirements than banks in the US. This has been well documented in trade magazines like InfoWorld et. al. Many banks there use an OTP solution in combination with a user-selected pin/password. The OTP comes from scratch-off tickets (like those scratch-off lottery tickets) the bank mails you for free periodically. Those are cheaper than the RSA fobs which are popular in the US by coporate IT departments.

You can see Dominic's bank must do something like this. He wrote:

Quote
you're asked for two numbers supplied by the bank
« Last Edit: January 17, 2006, 04:08:48 PM by Eric H. Jung »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
strange password requirements
« Reply #4 on: January 17, 2006, 04:26:56 PM »
Quote
I think they must do something like this. Let's say your password is ILOVEPANCAKES. Each time you login, you probably are presented with something like:

QUOTE
Please fill in the missing characters of your password:
IL*VEP*ANC*AKES

I don't see how PasswordMaker can auto-populate something like this when the missing characters are randomly chosen each time
Ahh, yeah - but you could at least add the option like I mentioned, so they can *see* their password, and be able to then fill in the missing characters. Definitely not ideal, but at least he'd be able to use it.

The main question is, how much trouble is it, and is it worth it.
« Last Edit: January 17, 2006, 04:28:31 PM by tanstaafl »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
strange password requirements
« Reply #5 on: January 17, 2006, 04:34:03 PM »
Ooops... I forgot, I erased that part of the post... ;)

You could simply add a new Coolkey option, and secondary option next to the Auto-populate option, to 'Display Master Password', so, instead of trying to populate the PW, it simply displays it, so the user cna then fill in the missing characters manually.

Best option I can think of...

PasswordMaker Forums

strange password requirements
« Reply #5 on: January 17, 2006, 04:34:03 PM »