Taking password letters not whole one, is this secure?

This is just really terrible. The only way this can work is if they encrypt your password instead of hashing it. Or even worse just store it as plain text. I would never sign up for that service ever. <update>As @lynks stated the above is probably not true when using HMS. However if only a username is asked before this step. And the password is a fixed password of the user the rest of my answer should still stand.</update>

Also the fact that you only have to guess 4 characters (instead an entire password) is just stupid. Also those blocks may indicate the length of the password which is also really crap (if that indeed is the case).

Not only that, but they also show you on what place the characters should be added which is even more stupid, because you can now make better guessing of the characters being used based on the distribution of characters in words / sentences.

All in all what you have there is mega crap and should not be used... ever. I would go as far as saying that the person who tought this would be a good idea should stop doing stuff like this and start looking for another job.

In fact it is so bad it wouldn't surprise me if the actual characters that are hidden by those blue blocks are just hidden and stored in the source of the page ;-)

As a side note based on the last paragraph of your question:

or do they have saved password in salted hash (MD5)?

MD5 should never be used for hashing passwords. It is waaaaay too fast for that purpose.


As others have pointed out making use of a "type character x and y from your password" mechanism requires that the passwords are stored on the server either in the clear or in a reversibly encrypted format (there is the other option of hashing every pair of characters but that would be a daft idea).

Whether this mechanism improves or decreases the overall security of the solution depends on prevalence and severity of the attacks that each approach works well against and also security controls in place on the server side storage of the passwords.

It's likely that there are more instances of keylogging software (this is very common in banking trojans for example) than there are instances of password databases being hacked, but this leaves aside the concept of impact where one password database breach is much more serious than an individual keylogging instance on a customer.

That leads on to controls. Several of the answers and their attendant comments have made the point about HSM. Where this kind of scenario is in use in a UK bank I'd think it extremely likely that an HSM is in use and, hopefully, well managed.

It's unfortunate that the truism of security "only store passwords in hashed formats, reversible encryption is bad" often misses the add-on "well you can store them in reversible format but key management is a bugger".

It is possible to do this securely and indeed the ATM network in the UK used to use (and may still I guess) symmetric encryption for all it's data transfers, but the key management round this was extensive (at least in the cases I looked at) and involved things like dual control of keys.

so the answer to the question is, like a lot of things in security, that it depends. It may be secure and indeed this approach is better in some scenarios that hashing and asking for the whole password, but it depends on a number of factors that can't be assessed without more information.


First Direct - is using this way of requesting password. In some other cases - Halifax, Lloyds - after presenting password prompt there are letters are requested via dropdown. On top of that login has 5 random digits appended.

Verified by Visa - http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx - also uses this form of confirmation when paying by card online.


I believe this is to prevent key-loggers from obtaining the whole password. I believe banks and Visa have their own very strict policies making the whole system reasonably secure.

(at the end of the day it is us who are paying for all their security breaches)

@Hyp's comment is right (updated my answer). Lloyds and Halifax after password have this: enter image description here