0

I recently ran an account security check through my bank's web site, and my bank "reassured" me that I have a strong password.

Should I be concerned that they know that? I had assumed that they only stored a (hopefully salted) hash of my password, and so they should not know any information at all about my password except for its hash.

(This was presented as an individualized rather than an automatic security sub-assessment, so I don't think they just meant that my password meets their site's minimum allowed security requirements - which were presumably checked locally at the point of password creation before the hashed version was sent to my bank.)

Very Tiny Brain
  • 151
  • 2
  • 2
    They can check your password strength whenever you enter the password - which you likely do when you login. – Steffen Ullrich Aug 27 '23 at 04:43
  • "before the hashed version was sent to my bank" how do you know that? I would expect that the password is sent to the bank (TLS protected) and it's hashed there. Are you sure this is not the case? –  Aug 27 '23 at 08:29

2 Answers2

1

As part of the security check, they may take a list of known passwords and hash them using the same salt as your password, then see if the hash matches your hashed password. This lets them determine that your password isn’t on their list, and so is strong, without them knowing what your password is. But it would take quite a lot of CPU resource to use a strong hashing algorithm on a long password list.

Mike Scott
  • 10,294
  • 1
  • 29
  • 36
0

I'm guessing this simply means that they improved their password requirements at some point in the ~recent past and that your password was set after that.

Perhaps they only changed how they store your password's hash. That would make it stronger from the perspective of somebody trying to crack the hash even if they didn't increase their strength requirements.

Hopefully they did both.

Adam Katz
  • 11,236
  • 2
  • 25
  • 48