views:

29

answers:

1

I have a system where I salt and hash passwords before saving them to the database, using FormsAuthentication in asp.net

What I want to do is, rather than ask the customer for their password each time, I just want 3 random letters from their password. How can I compare this to the hash in the database? Will hashing still work in this case? From what I gather hashing is only designed to be a one way process and shouldn't be decrypted, so is checking 3 random letters for a hash even possible?

A: 

To achieve that, you'd need to know what the clear password is when you compare the letters, because you can't generate an identical hash with only 3 letters.

svanryckeghem