Should I abandon this company? I don't know a great deal about security...

That's what I thought, but then I realized what this user said.

>hashes of every single combination of 3 characters of your password
So instead of having to crack a 12-character password in one go, an attacker can just crack 4 3-character passwords now. How is this better than plain text?

Never had any of my banks do that. Ever. Nor do I think they would.

They'd probably ask for a chip&pin challenge-response, for an ID scan and address / name (to even send the replacement for anything to that address by registered mail) or some such.

you could brute force the 4 character hash in less than a second, and that value would allow you do brute force the main hash very easily too.

Huh? No. Let's say you have a 10 character password. When you login, it asks you for 3 random characters. This means anyone who is looking over your shoulder or using a keylogger does NOT get your password.

How the bank verifies that information, I don't know. I find it hard to believe they'd have every 3-character possibility hashed.

I know of at least 4 UK banks that do it this way. They also use a complete password though, which is presumably hashed as expected. So you need username, password, then 3 random characters of your "memorable information".

>Should I abandon this company?
Yes

occam's razor, user.
which one seems more likely?
>incompetent developers store passwords as plaintext
>developers store last 4 characters of a password as a hash just so support can use this obscure verification method

Attached: ABSOLUTELY DISGUSTING.jpg (500x375, 131K)

JUST host.

>call bank
>get socially engineered by a Pajeet to give up your password
>lose all funds

the best part is that poo has no idea wtf you're even talking about

>plaintext passwords
Yes, abandon them.

Also if they do incremental hashes that's very vulnerable to attack.
And support would tell you if that were the case most likely.
If they don't you can assume they just stored plaintext.
What kind of moron doesn't understand this problem. Instead of alphabet^fullpasswordlength we have sum[0,slicecount](alphabet^slicesize)
Addition makes for smaller numbers than multiplication here.

>>incompetent developers store passwords as plaintext
This one.

abandon. JustHost is an EIG brand
i suggest the siteground meme or one of the ones off whttalk for cheap but pretty decent quality if you just need shared hosting & cpanel

you are saying his name pajeet but very clearly it is written his name vasundhara

Shame them publicily. Twitter, preferrably, else facebook or one of those blogs that collect security blunders.

ya but its actually pronounced like pajeet, common mistake my friend

nah its fine bro, just go ahead and send them the whole password so he doesn't have to count characters and can just verify it at a glance.
Dude seems super helpful and is obviously keeping your shit secure. Id use this company for everything.
How are their prices?

The only way other than having every 3 letter combination hashed would be to use a hash that leaks information about the input, which is also pretty bad.

vodafone, my mobile phone ISP, regularly asks me for my full password when I call them.
Like what the fuck, everyone near me can hear me spell it out, plus the random customer support pajeet knows my password and could log into it any time

>Vasundhara joined

Attached: 1346322724077.jpg (299x265, 29K)