So i called fidelity today and was asked to type my web portal password using the phone keypad. The automated voice says for letters in my password i just need to type the corresponding number. i just wonder how is Fidelity authenticating my input. case one: they are storing the hashed password so they have to generate all possible strings with my input and hash to verify. (NP complexity) case two: they are storing the password in plain text so they just compare the edit distance. case three: it’s a dummy verification step does t work at all. which case do you guys think is the right one? 210K 1.5yoe
Do they not allow special characters?
@OP: Totally off topic - what’s your take on the recent HK issues?
Case 1 seems prohibitively slow (especially if salted). Case 2 and 3 seem not plausible for a financial service company. Only thing I can think of is they are storing the corresponding phone number when you create your password (maybe hashed)
This sounds like a right solution. Thanks for the input!
they compare all possible hashes with the hashed and it's not NP complete
Say my password length is N. Each char I enter can be a number/three letters. So it’s roughly 4**N total possibilities. If I’m remembering my algorithm 101 correctly this is a non polynomial complexity