Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m not a statistician so I wouldn’t know the math on this, but take these two scenarios:
A single 16 character password:
Password: XXnrKkO4`AM&U$6D
or
Two 8 character passwords:
Password 1: u/wyk<}U
Password 2: hc]KpL3C
I’ve seen a few sites with the need for high security (ie: banks) using a two password layout, but by how much does it increase security?
Banks don’t normally (unless they have stupid security policies, and a few of them do) ask for two passwords that are treated the same.
One bank I’m with, HSBC uses two-factor authentication. They ask for my account password (“something that I know”) as well as a one-time code generated by a keyfob (“something I have”). This helps protect against two weaknesses to single-factor authentication: “rubber-hose cryptography” (where someone beats my password out of me, but they don’t have the keyfob) and a stolen password (they have the keyfob, but not my brain).
Other banks, such as Nationwide (in the UK), ask for your customer ID (equivalent to a username) but also a “memorable data” (effectively a password) and three digits from a 6-digit numeric code that is selected by a drop-down list with the mouse.
I understand this is to help protect against keyboard loggers: the password (“memorable data”) provides traditional password security, but the drop-down numeric lists provides keylogger protection because the digits is randomised and selected with the mouse (keyloggers generally don’t log mouse movements). However having the entire password be selected by the mouse is impractical, so that explains that.
Now back to your original question assuming you weren’t talking about the two scenarios I just described above, then the answer is “it depends”.
However one would assume that the website in question merely concatenates the two passwords together before going through the password match implementation (hopefully using salted hashes), but even if they weren’t concatenated it’s obvious that the number of combinations (assuming alphabetical passwords only) of 16 char passwords (26^16) is identical to two 8-char passwords (26^8 * 26^8 == 26^(8+8) ).
So given the size of the input domain is the same for both cases, it suggests that either the website developer is stupid, or they have separate textboxes to aid usability (e.g. a long passphrase is generated by concatenating two easier-to-remember passwords), there’s a two-factor system in-place, or there’s a keylogger-circumvention technique in-place…. or something else entirely 🙂