← Back to context

Comment by berberous

10 years ago

Right, but my point is the backend to make this work must be terribly insecure. I just did some reading, and apparently they take your password and just store the keypad equivalent (or more likely, a hash thereof). So you can login in to the website with your original password, the keypad mapping of that password, or any text password that maps to the same keypad digit mapping, and they all work.

3 comments

berberous

Reply
jdmichal  10 years ago

> So you can login in to the website with your original password, the keypad mapping of that password, or any text password that maps to the same keypad digit mapping, and they all work.

I'd have to see this to believe it. I would hope that they would at least store it as two separate entries, and only use the phone one during the phone process. And the person on the phone will likely still ask you some less-sensitive verification questions.

  • berberous  10 years ago

    I had googled just now and read that somewhere else, but you are right, I just tested it, and it does not work as I described on the website itself.

masklinn  10 years ago

> they take your password and just store the keypad equivalent (or more likely, a hash thereof)

That's… not exactly more likely. These are commonly systems predating the internet, from a time when connected networks were trade-specific and Very Expensive, storage security was a lesser concern (and CPU-expensive) when the system could only be accessed on dedicated lines only accessible to employees.