If I have a users 6 digit PIN (or n char string) and I wish to verify say 3 digits chosen at random from the PIN (or x chars) as part of a 'login' procedure, how would I store the PIN in a database or some encrypted/hashed version of the PIN in such a way that I could verify the users identity?
Thoughts:
- Store the PIN in a reversible (symmetrically or asymmetrically) encrypted manner, decrypt for digit checks.
- Store a range of hashed permutations of the PIN against some
ID, which links to the 'random
digits' selected, eg:
- ID: 123 = Hash of Digits 1, 2, 3
- ID: 416 = Hash of Digits 4, 1, 6
Issues:
- Key security: Assume that the key is 'protected' and that the app is not financial nor highly critical, but is 'high-volume'.
- Creating a wide-number number of hash permutations is both prohibitively high-storage (16bytes x several permutations) and time-consuming probably overkill
Are there any other options, issues or refinements?
Yes: I know storing passwords/PINs in a reversible manner is 'contentious' and ideally shouldn't be done.
Update
Just for clarification: 1. Random digits is a scheme I am considering to avoid key-loggers. 2. It is not possible to attempt more than a limited number of retries. 3. Other elements help secure and authenticate access.