
My bank password is 'sort-of' hashed - mstockton
http://mattstockton.com/2013/03/20/my-bank-password-is-sort-of-hashed/
======
tg3
It should be noted that by also storing a hash of your password in keypad-
compatible format (if you're right about this) is that it significantly
reduces the search space for a potential brute force attack. It also seems
they don't allow special characters, which is a further reduction. I'm not
sure that a robo-caller is the most efficient way to steal a bank password,
but it is certainly possible.

Of course, the cynic in me says that they are storing an encrypted, as opposed
to hashed version of your password. But one can hope!

~~~
mstockton
Their password rules are interesting:
[https://www.fidelity.com/psw/WS_PSW_Body_Frame/0,,PROBLEMS,0...](https://www.fidelity.com/psw/WS_PSW_Body_Frame/0,,PROBLEMS,00.html)

These two rules seem to further support my theory of what they are doing: *
Must not contain more than 4 sequential digits (ex: 1234, 76543) * May contain
the following special characters: "%'()+,-/:;<=>?\ ^_|

------
zck
If you try to log into your bank with _PASSWORD_ instead of _password_ , does
it work? They could be converting your password to numeric as a first step to
using it for anything.

~~~
mstockton
No, the web login is case sensitive.

------
efutch
They could be using some kind of format-preserving encryption, but then they
would have needed an unhashed version of the password to generate this "phone
input" field.

------
bochoh
Very interesting.

