Auto-fill specified characters of passwords

Some websites ask for the characters at specified indexes of your password, this is (from my experience) mostly on banking websites.

Here is an example:

I propose that some effort should be put forward to come up with a solution to auto-fill such login forms.

On some websites, input elements are ID’d in such a way that custom form fill values can be added for every character of a password to allow for auto-fill to work in its current state, however, this is a lot of work for the user. I imagine that in these cases, a simple solution could auto-fill, however, some sites ID input elements in a way that does not reference the required character, this would require a more complex solution.

Sites that use this that I know of:
Santander, RBS, Skipton Building Society

This type of input is insecure. But luckily, it is rare.

  1. Supporting it with some streamlined feature encourages banks to make this bad security design.
  2. It is so rare that there really is no demand for such a feature.

You can easily set it with custom fields if it is what it sounds like… it’s a small time cost for you, but not too bad.

It’s certainly not rare in banking sites from what I can see. 4/5 of my banks use this method of password entry.

Only one of my banks has a form that would be compatible with custom fields in the bitwarden add-on for auto-fill, the rest do not ID their input fields in a way that would allow this. e.g. “pass-id-1” is for entry of character 3.

An implementation for auto-fill would have to look at the HTML elements and find a number within that indicates the password character position for the input field.

1 Like

I agree with Chris, it’s widely used by banks, at least in the UK. I’m not sure why it should be considered insecure, but I don’t see much likelihood of getting the banks to change. I encounter it on TSB, Nationwide, HSBC, and Barclays.

On at least one site, BW fills the password into each digit field which takes a lot of messing to undo and replace with single digits. BW should at least be smart enough not to do that.

On these sites I rely on remembering the word or number in question, so I can’t generate random values.

As an ideal UI, I envisage a box layered over the field into which I type the number of the character requested, and BW fills the actual character underneath. It would require a special password type, and some way to associate it with the relevant fields.

There’s no clearer evidence than that the bank is storing passwords in plain text than this, they just don’t secure it.
You can’t extract individual characters from a hashed password, unless you hash every single character separately, at which point the hashing becomes borderline useless as there’s only 80 ish guesses needed to reverse each character
If any bank does this please avoid, switch to a different bank with a better security policy, and report to plaintextoffenders.com
Also report to UK’s data privacy watchdog, this is clearly a violation of GDPR, which requires companies to provide reasonable protection of personal data, which this is clearly not

Where this is used, it’s not the password itself, it appears as additional verification, often described as “memorable word” or some-such. Some other sites require you to enter one of a number of such memorable words in full. GDPR does not mandate against storage of personal data in plain text - that would make any system unworkable. “Reasonable protection” means they must take steps to avoid unauthorised access to or copying of data, and generally implies that backups should be encrypted.

They are slowly moving to 2FA, though not always doing it in a very convenient way. :frowning:

That is not true. There is a mathematic formula used which if you provide the correct character at the correct index produces a valid result. The password is always encrypted. Unfortunately I can’t give you an article in English, here’s one in Polish, though which describes exactly how mathematics is used to implement masked passwords. Google Chrome may have some luck translating it for you. At least you should get the gist of it.

Other than that I hate them because they interfere with password managers. Many banks use them in Poland, too.

3 Likes

this is reeeeally dumb.

There is no point in doing this polynomial math to avoid storing the user’s 3 characters since a hacker could steal the b values for all users and try every ASCII value until the correct value appears in nanoseconds.

when your password is reduced to 3 characters and stored with extremely computationally simple math, you might as well store it plaintext.

It’s about the same as using ROT13 and calling it “cryptography”

You might find this of interest: https://crypto.stackexchange.com/questions/43775/how-can-you-extract-individual-characters-of-an-encrypted-string-such-as-a-passw

I see this quite often and would suggest a slightly easier option.
Can we have a field or option that will automatically add the index number to the string so that it is easier to see what nth character is.
I know it falls short of the auto fill option but it would make it easier to use manually and is another benefit of using Bitwarden as a password manager

Example
1 2 3 4 5 6 7 8 9 10 11 12
T h 1 s : I S p a s s w

Character 7 = S
Character 9 =a
Character 11 = s

2 Likes

That would certainly be useful! Especially for long passwords.

I came here to suggest precisely this index. With really long passwords, it’s really a pain to identify, say, characters 8, 16, 24. I often have to copy the whole password in clear text to notepad and count columns, which creates a vulnerability. I can’t imagine how hard it must be for people with dyslexia.

Even better, we could enter 7, 9, 11 in BW and it would return S, a, s. Easier and this way we won’t even have to make the password visible on the screen.

In the UK practically every bank I know uses this, and I risk being locked out every time because I fail to enter the correct characters 2-3 times.

1 Like

It usually works as @DarkStar said. I’ve seen this in Poland, UK, and Germany. This is a common practice, and passwords are not being stored in plain text. And now it always comes with 2FA, at least in my bank. If you don’t want to add this functionality, at least add small numbers above or under each password character as the option. This small feature will help us a lot. At this point all password managers are useless on this kind of sites.

2 Likes

1Password has the exact feature you’re describing (showing 1, 2, 3… under each character). This would be incredibly useful in Bitwarden since my experience with U.K. banks has been the same as many other’s in this thread (the ‘please type the nth character of your memorable word’ is very very common over here).

Of UK banks I use, the following request nth character to login

  • Natwest
  • TSB
  • halifax

Santander do not do this.

so 75% of my banks require nth character login.

I would really appreciate numbered passwords in bitwarden interface as others have suggested. We are premium payers and find bitwarden great in general.

Thanks

1 Like

I’ve had a workaround for this for a long time which is massively inelegant where I wish there was a tiny bit of support from the password manager: I use the ‘notes’ field to record the secret phrase and then on a separate line I number the characters:

m Y p a 5 5
1 2 3 4 5 6

Unfortunately, given the notes in the password manager are not fixed width, the alignment is really bad. If I could just have an option to have the notes in a monospaced font, I wouldn’t have any issues until a proper feature for this came along.

I would like to see a solution for this, too. For Halifax, I have tried adding custom fields as “Character 1” etc, and then its value, but that does not seem to work. Bitwarden tries to fill it in, but fails.

This is never going away, it’s a standard for the majority of banks in some countries, and no password manager is going to change that nor encourage/discourage it, so making it easier for BitWarden users to use their bank is a far better option than not supporting it at all and encouraging users to use passwords they know in their head (and thus are easier to extract characters from) instead, simply on a “this isn’t a good system” pretence.

Nor does it mean the password is stored in plaintext, and in fact that’s very unlikely as UK banking regs are incredibly strict. More likely they hash different variations of the password when you set it, so the permutations of characters you can get is hard coded. In the past I’ve been asked to update my password with banks, no doubt because the permutation list was updated.

1 Like

1Password have a really good workaround for this
They have a feature called large font where passwords are displayed in large with the character number as below (e.g: for for password “aqrptv”)

This could be implemented as below

2 Likes

I have actually just seen a really nice way this is implemented by Enpass.
Right clicking on the password gives these options

View subset (in the desktio app, poorly implemented in the browser) allows you to see the specific characters you want (e.g: 3, 17, 21)