On The Security Evaluation of Partial Password Implementations

Abstract

A partial password is a mode of password-based authentication that is widely used, especially in the financial sector. It is based on a challenge-response protocol, where at each login attempt, a challenge requesting characters from randomly selected positions of a pre-shared secret is presented to the user. This mode could be seen as a “cheap way” of preventing for example a malware or a keylogger installed on a user’s device to learn the full password in a single step. Despite of the widespread adoption of this mechanism, especially by many UK banks, there is limited material in the open literature. Questions like how the security of the scheme varies with the sampling method employed to form the challenges or what are the existing server-side implementations are left unaddressed. In this paper, we study questions like how the security of this mechanism varies in relation to the number of challenge-response pairs available to an attacker under different ways of generating challenges. In addition, we discuss possible server-side implementations as (unofficially) listed in different online forums by information security experts. To the best of our knowledge there is no formal academic literature in this direction and one of the aims of this paper is to motivate other researchers to study this topic