I have to use two passwords to login to Lloyds bank. One conventional password (... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

brassic on Nov 7, 2016 | parent | context | favorite | on: Tesco Bank halts online payments after money was t...

I have to use two passwords to login to Lloyds bank. One conventional password (which is presumably stored salted and hashed) and one where I have to enter characters from three positions they choose. The latter is intended to mitigate the risk of using your account from a vulnerable computer. The former takes care of vulnerabilities on their end (as far as any password can).

Symbiote on Nov 7, 2016 [–]

Could they implement something like:

Password: money

Secret word: ABCD

If they're going to ask for two characters from the secret word, they could then hash

  saltmoneyAB
  saltmoneyAC
  saltmoneyAD
  saltmoneyBC
  saltmoneyBD
  saltmoneyCD

and check against the relevant one.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact