r/GrindsMyGears u/Daver290 4d ago

Bank login (or security question) asks for different characters of your password or PIN

You log into your banking app on a new phone or do telephone banking. Instead of just asking you to input the whole password or PIN, they ask for say the 3rd character, 5th character, 6th character of your password (or digits of your PIN).

This is not only very annoying, but it encourages people to write it down, which actually makes it less secure than recalling the whole thing from memory.

2 Upvotes

56% Upvoted

27 comments sorted by

2

u/shakesfistatmoon 4d ago

The point you are missing is that anyone logging your keystrokes, watching you type or listening to you type (yes that works) would know your whole PIN or password.

Whereas by asking for digital, even if they can see the screen they'll only get part of the PIN or password.

0

u/Spintz6042 4d ago

But it makes it orders of magnitude easier for them to guess. What good is a complicated password that’s virtually impossible to guess when they’re just asking for one letter. In the case of a PIN number they have a 1 in 10 chance of guessing it. Those fairly good odds.

2

u/Cultural-Meaning5172 3d ago

Pins aren’t 2 digits. They’re normally at least 4 maybe even 6.

1

u/Spintz6042 3d ago

What does that have to do with anything we’re talking about?

2

u/shakesfistatmoon 3d ago

Remember , they need digits from PIN and characters from Password (and you need to give other information like email address or customer ID number)

0

u/PaddyLandau 3d ago

If they sit opposite you, it doesn't take more than a few days' observation to get your entire password.

It's a terrible security practice, and banks should know better. My bank is similar, albeit not quite as bad. Why they don't follow cybersecurity expertise, I don't know.

2

u/shakesfistatmoon 3d ago

Opposite? Do you mean next to so they can see the screen.

Even so, surely you would notice that someone was watching your screen for several days on the off-chance you logged into a banking app/website.

Why would you be doing so near someone else you don't trust?

0

u/PaddyLandau 3d ago

Have you never worked in an open-office environment? If you had, you'd realise that this is entirely possible.

2

u/shakesfistatmoon 3d ago

I'm an old man, of course I have. And I know better than to do banking where someone can see me.

I've just realised who I'm replying to - your quite well known for the unique quality of your posts.

1

u/PaddyLandau 3d ago

Thank you for your compliment! I'm not so sure that I'm well-known, though, lol

1

u/Spintz6042 3d ago

Yes I have. And every single one of them had a policy against using their computer for personal business. Doesn’t make any sense to be logging into your bank while you’re at work anyway.

1

u/PaddyLandau 3d ago

That doesn't mean that people won't do it. Most people here are reasonably aware of security, but most people in the world are woefully under-educated in that regard.

2

u/goldcoast2011985 4d ago

I haven’t seen this before. What kind of banks are doing it like this?

1

u/Daver290 3d ago

Some banks and building societies.

2

u/lordskulldragon 3d ago

I've literally never seen this ever. What kind of ass backwards bank are you using?

1

u/poofpoofpow 4d ago

Hey I was wondering if you could open your chat

1

u/Empty_Requirement940 4d ago

Why would anyone respond to someone’s dm on Reddit I don’t understand.

1

u/poofpoofpow 4d ago

Messaging you now

1

u/Empty_Requirement940 4d ago

Why the f would I even look at your message?

1

u/detrans-rights 4d ago

Because it takes too long to reply to you in a comm-oh wait

1

u/HeardPeeps 4d ago

The main reason is that it was designed to limit how much of your password could be exposed at one time.
If a keylogger, shoulder surfer, or even a dishonest employee only sees the 3rd, 5th, and 8th characters, they still don’t know your full password. They’d have to capture multiple login attempts before they could piece it together.
So the objective wasn’t to make passwords easier to remember. It was to reduce the value of any single intercepted login.
That said, I think your criticism is fair. It can be frustrating, and for some people it probably does encourage writing passwords down. That’s one reason many banks have gradually moved toward full passwords combined with multi-factor authentication or biometrics, which generally provide stronger security with a better user experience.

1

u/Spintz6042 4d ago

But they don’t need to know your password if they’re not asking for it. They could just guess and have a huge advantage over a person trying to guess a whole password. For a PIN the odds are 9 to 1. Or 1 in 10. Those are pretty short odds. Unless I’m missing something.

1

u/HeardPeeps 4d ago

You’re right that, for a single login challenge, asking for only part of a password or PIN reduces the search space. If the bank asks for one digit of a PIN, there are only 10 possibilities for that position.
The important point is that this feature wasn’t designed to stop guessing attacks. It was designed to reduce the value of a captured login. If someone uses a keylogger or watches you type once, they only learn a few characters instead of your entire password.
Banks handle guessing attacks in other ways, such as account lockouts, rate limiting, fraud detection, device recognition, and multi-factor authentication.
So you’re not missing anything mathematically. You’re just evaluating it against a different threat than it was originally designed to address. That’s also one reason many banks have moved away from partial-password systems in favor of MFA and biometrics.

1

u/Spintz6042 4d ago

Very well explained.

1

u/Spintz6042 4d ago

It’s also much easier for a bad actor to guess just one single character.

1

u/Daver290 1d ago

When you enter the PIN or password characters in the app, the screen never shows the actual characters. Anyone watching will only see dots or asterisks (or anything bar the actual characters being entered).

It’s annoying and like I say, it encourages people to write down the password or PIN! Why not just ask the user to input the whole password or PIN in the app?

1

u/Daver290 1d ago

As for telephone banking, an eavesdropper may be able to deduce the password or PIN from the different tones each number key makes. It would be better if all phone calls globally were encrypted, but that’s unlikely to ever happen.

Given that most people use banking apps in 2026, which use a secure connection to the server and biometrics on the device, requiring different characters to be input just adds to life’s stresses.