On 10/02/2016 11:22, John Rumm wrote:
On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

It would also be poorer security, since it discloses the length of the
secret word, which may be all an attacker needs to select one of several
possible options.

Several banking sites do something like that - Santander for instance.

Whereas Lloyds offer three drop down boxes to choose a character from.

Its the same reason that when you fail to log into a system it does not
(or at least should not) distinguish between an unknown account name and
a wrong password - thus preventing giving useful information to an
attacker.

Although it is damned annoying when the problem is that CAPS LOCK is on.

It could halves the password space to give away that information but
OTOH the only person likely to do this is the owner of the password!

--
Regards,
Martin Brown