Password Verification Security: Stop Asking Partial Passwords

TL;DR

Asking bank employees to verify a customer by revealing parts of their password is extremely insecure. It allows attackers to quickly guess passwords and compromise accounts. This guide explains why it’s bad, and how to fix it with proper authentication methods like multi-factor authentication (MFA) and knowledge-based questions that don’t reveal the password itself.

Why Asking Partial Passwords is Dangerous

1. Easy for Attackers: If an attacker knows they only need to guess two characters, they can try all 36 possibilities (A-Z and 0-9) very quickly.
2. Shoulder Surfing/Eavesdropping: An employee asking these questions could be overheard by someone nearby.
3. Social Engineering: Attackers might pretend to be customers to trick employees into revealing information.
4. Compliance Issues: Many security standards (like PCI DSS) prohibit storing or transmitting passwords in a way that allows reconstruction. Asking partial passwords is effectively doing this.

How to Fix It – Secure Verification Methods

1. Multi-Factor Authentication (MFA): This is the best solution.
   • What it is: Requires something the customer *has* (like a code from their phone) in addition to something they *know* (their password).
   • Implementation: Use an authenticator app (Google Authenticator, Authy), SMS codes, or biometric verification.
   • Example: Customer enters password, then receives a one-time code via text message and enters that too.
2. Knowledge-Based Questions (KBQs) – Done Right: Avoid questions easily found online.
   • Good KBQ Examples: “What was the make of your first car?”, “Which primary school did you attend?”
   • Bad KBQ Examples: “What is your mother’s maiden name?”, “Where were you born?”. These are often publicly available.
   • Important: Store answers securely (hashed and salted) – never store them in plain text!
3. Out-of-Band Authentication: Contact the customer through a known, pre-verified channel.
   • Example: Call the customer on their registered phone number.
   • Important: Verify *multiple* pieces of information before proceeding. Don’t just ask for confirmation based on one detail.
4. Biometric Verification (where appropriate): Use fingerprint, facial recognition, or voice biometrics.
   • Considerations: Privacy concerns and the cost of implementation.

What to Do Immediately

1. Stop Asking Partial Passwords: This is the most important step! Train employees immediately.
2. Review Current Procedures: Identify all instances where passwords or password information are being asked for during verification.
3. Implement MFA: Prioritize implementing multi-factor authentication across all customer accounts.
4. Update Security Policies: Clearly define acceptable and unacceptable verification methods in your security policies.

Technical Considerations (for IT teams)

1. Password Hashing: Ensure passwords are stored using a strong hashing algorithm (e.g., bcrypt, Argon2).

   # Example Python code using bcrypt

   import bcrypt
   
   hashed_password = bcrypt.hashpw(b'mysecretpassword', bcrypt.gensalt())
   print(hashed_password)
   
   if bcrypt.checkpw(b'mysecretpassword', hashed_password):
     print("Password matches!")
   else:
     print("Password does not match.")

2. Rate Limiting: Implement rate limiting on login attempts to prevent brute-force attacks.
3. Account Lockout: Automatically lock accounts after a certain number of failed login attempts.
4. Monitoring and Logging: Monitor for suspicious activity, such as repeated failed login attempts or unusual verification requests.