2

Example security code:

a35sfj9ksdf

How can I ask a user for several characters (e.g. first, forth and ninth) of their security code and then check these? The main difficulty comes in how do I store the seucurity code in an encrypted form - if I were to store each character individually, then the encryption would be incredibly easy to break.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
jSherz
  • 927
  • 4
  • 14
  • 33
  • 4
    Why not just hash the code and ask the user for the entire thing? – Michael Mior Jan 07 '12 at 16:00
  • I was wondering this too. Maybe you'd have to store a hash of each combination you're going to ask them for, but that seems a bit heavy. – Lightness Races in Orbit Jan 07 '12 at 16:01
  • possible duplicate of [How to store and verify digits chosen at random from a PIN/Password](http://stackoverflow.com/questions/3388379/how-to-store-and-verify-digits-chosen-at-random-from-a-pin-password) – Lightness Races in Orbit Jan 07 '12 at 16:01
  • The idea was to add an extra layer of security to logging in - if a user is keylogged then - at the most - the other party would get three characters of their security code. The script would ask for different combinations of the security code for different users. – jSherz Jan 07 '12 at 16:07
  • Note the similarity to project euler's [problem 79](https://projecteuler.net/problem=79) – President James K. Polk Jan 07 '12 at 16:54

3 Answers3

1

A possibility that was described neither here nor at How to store and verify digits chosen at random from a PIN/Password is this:

  • Create a random salt of the same length as the seucrity code (here 11)
  • Store the salt with the user
  • for every char of the security code, replace the corresponding char of the salt with the char from the security code and hash it securely
  • store these hashes with the user

Now you have to store the manageable quantity of n+1 fields for a security code of length n and can still verify single (position,char) tuples

Community
  • 1
  • 1
Eugen Rieck
  • 64,175
  • 10
  • 70
  • 92
  • This is a rather elegant method and is certainly far more secure than storing plaintext or hashes of single characters. For better results, use a different random salt for each user. +1 – Tim Parenti Jan 07 '12 at 16:52
  • 1
    "Create a random salt of the same length as the seucrity code" and "Store the salt with the user" was meant to mean exactly that: Random salt for every single user. Not doing that would allow an attacker who gets his hands on the table to find security codes by combining partly-known other codes, if the sample is big enough. – Eugen Rieck Jan 07 '12 at 16:59
  • Suppose I am an attacker. So, if I want to know character x at position i, and I have the salt, then I just calculate N hashes where N is the number of possible characters and check which one is correct? This makes brute forcing a whole lot easier. Basically, you go from N ^ L to N * L in complexity (where L is the length of the security code). Or is it that I don't grasp the method? – Maarten Bodewes Jan 07 '12 at 19:56
  • You don't miss anything: This is an apt description not only of my solution, but of the complete problem: Cutting a 11-char password into 11 1-char passwords. My answer doesn't try to (because it can never) undo that, it just tries to propose a clean and manageable solution. – Eugen Rieck Jan 08 '12 at 12:44
0

What about using substr()?

substr("a35sfj9ksdf", 0, 1);

That would return 'a', the first character

substr("a35sfj9ksdf", 4, 1);

This would return 4, the 5th character

So something like please enter the $n character and use 

substr("a35sfj9ksdf", $n-1, 1);
leejmurphy
  • 994
  • 3
  • 17
  • 28
0

you can follow those steps,

  1. store all your desired characters in an array

  2. generate n (length of user code) number of random numbers where each number will represent a character of your array.

  3. Then concat the new generated characters to make a string

  4. Store the string using session and when ask from the user just match the user code with session

you can also make a simple captcha service using the similar way

fean
  • 546
  • 4
  • 12
  • 37