On The Security Evaluation of Partial Password Implementations
This addresses a security gap for financial institutions and users relying on partial passwords, but it is incremental as it builds on informal discussions rather than introducing a new solution.
The paper tackles the lack of formal security analysis for partial password implementations, commonly used in banking, by evaluating how security varies with different challenge-generation methods and the number of challenge-response pairs available to attackers, and it identifies potential server-side implementations from online sources.
A partial password is a mode of password-based authentication that is widely used, especially in the financial sector. It is based on a challenge-response protocol, where at each login attempt, a challenge requesting characters from randomly selected positions of a pre-shared secret is presented to the user. This model could be seen as a cheap way of preventing for example a malware or a key-logger installed on a user's device to learn the full password in a single step. Despite of the widespread adoption of this mechanism, especially by many UK banks, there is limited material in the open literature. Questions like how the security of the scheme varies with the sampling method employed to form the challenges or what are the existing server-side implementations are left unaddressed. In this paper, we study questions like how the security of this mechanism varies in relation to the number of challenge-response pairs available to an attacker under different ways of generating challenges. In addition, we discuss possible server-side implementations as "unofficially" listed in different online forums by information security ex- perts. To the best of our knowledge there is no formal academic literature in this direction and one of the aims of this paper is to motivate other researchers to study this topic.