On The Security Evaluation of Partial Password Implementations

TL;DR

This paper investigates the security of partial password schemes, analyzing how challenge generation methods and the number of challenge-response pairs affect security, and discusses server-side implementations to motivate further research.

Contribution

It provides the first formal analysis of partial password security variations and discusses practical server-side implementations, filling a gap in existing literature.

Findings

Security varies with challenge sampling methods.

Number of challenge-response pairs impacts security.

Provides insights into server-side implementation practices.

Abstract

A partial password is a mode of password-based authentication that is widely used, especially in the financial sector. It is based on a challenge-response protocol, where at each login attempt, a challenge requesting characters from randomly selected positions of a pre-shared secret is presented to the user. This model could be seen as a cheap way of preventing for example a malware or a key-logger installed on a user's device to learn the full password in a single step. Despite of the widespread adoption of this mechanism, especially by many UK banks, there is limited material in the open literature. Questions like how the security of the scheme varies with the sampling method employed to form the challenges or what are the existing server-side implementations are left unaddressed. In this paper, we study questions like how the security of this mechanism varies in relation to the number of challenge-response pairs available to an attacker under different ways of generating challenges. In addition, we discuss possible server-side implementations as "unofficially" listed in different online forums by information security ex- perts. To the best of our knowledge there is no formal academic literature in this direction and one of the aims of this paper is to motivate other researchers to study this topic.