How secure is asking for specific characters of passwords instead of the entire thing?

This method of password entry is popular in bank sites in Poland. It's called masked passwords. It's meant to protect from keyloggers - and keyloggers only. The password transmission itself is protected from sniffing with SSL, so the reasoning is that if keylogger is installed on client's device, it will never get access to the full password.

However, this logic has a few flaws:

1. Attacker needs to enter fewer characters (e.g. only 4 characters, often numbers only) for a single try. Therefore it's easier to brute force this authentication step. That is why masked passwords need to be paired with account lockout policy.

2. With just a few known characters at certain positions (e.g. gathered by a keylogger/screengrabber) attacker can simply try logging in when the server chose positions he knows and refresh when others were chosen. So often masked passwords implementation stores the positions choice for an account server-side for certain amount of time (e.g. a day) until successful authentication.

3. Getting to know the whole password only needs capturing a few successful authentications (e.g. when password length is 12 and there are always 4 positions chosen, it usually takes 8 tries), so a keylogger/screengrabber will get it - it will just take a little bit longer.

4. The biggest threat for Internet banking authentication is malware (man-in-the-browser attacks) like ZeUS or SpyEye and this kind of software usually conducts social engineering attacks that totally overcome masked passwords scheme. For example, this software can:

   • ask for a whole password
   • display a fake password change form after fake authentication
   • simulate password entry errors and redisplay the form with other positions to fill to get full password in 2-3 tries

Masked passwords are being difficult to handle for users and tricky to implement correctly. At the very least developers need to add account lockout policy, positions choice storage and partial hashes.

Contrary to popular belief, masked password, especially in e-banking sites, though they offer protection from basic keylogging, completely fail to other, more prevalent threats like malware utilizing social engineering.

I know one online banking website, that asks first for a password (numbers and characters), and then you have to enter with your mouse two digits of a second 6-digit password (numbers only). You are presented with a numpad on the sceen and click on the numbers.

The reasoning behind this is that it is (probably) harder for malware to track your mouse movement than it is to log your key presses.

In the above example it's obviously more secure than just a single password.

In the situation that you describe, where one has to enter only specific characters of a password by keyboard, the reasoning could be that if someone logs or phishes your input he still doesn't have your whole password.

I (can only) guess that the mechanism used to validate the input is secure, you still can use hashing if you store a hash of every possible input combination.

Here is a short wikipedia artical about partial passwords, that mentions this.

A side note about asking specific characters is that users might type password on paper or worse - in notepad - just to be sure that they enter proper letters. As failing to do so will result in account lock.

Example:

1. Banks might warn users to use strong passwords
2. User creates strong password, lets say CorrectHorseBatteryStaple
3. Now bank ask #4, #10 and #16 letter of password
4. While it's easy on paper/notepad, it might be hard to count which letter is which in memory.

As a result users instead of remembering passwords, store them on paper with numbered letters :) (or in text file!)