WebApp Sec: Re: random character checking at logon

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

On 20 Apr 2005 at 14:59, jimtames () yahoo com wrote:

> Hi,
>
> Any advice on this puzzle would really be appreciated.
Well, here's an idea. To simplify, let's say all passwords are 8 
chars, and that you need to choose 7 chars out of the 8 and provide 
them. 
Now, you store the sum (mod 256) of all 8 bytes of the password, 
together with a 1-way hash.
When you're provided with 7 chars of the password, add them up, and 
subtract the number (mod 256) from the sum you have in the DB. The 
result is the missing char. Now put that char in place, and you have 
reconstructed the (candidate) password. Use the same 1-way function, 
and compare to the hash you have in the DB.

Of course, this decreases the effective space for the password brute 
forcing by 1 byte.

You can also use XOR instead of mod 256 addition. 

I *think* this can be extended to choosing N out of 8 chars, but I'll 
have to think about it. I know that it can be extended easily in one 
way, but it requires runtime (not DB space though).

-Amit