When you change your password, you're usually required to enter both the old and the new one. This is when the check is usually performed.
What I'm more worried about is the system that some Polish banks use, called masked passwords over here. With this system, you're only required to enter certain characters of your password, but the set of required characters changes at each login. This exists to make key loggers much less effective. There's apparently some hashing going on (something to do with curves and polynomials), but I couldn't find more details when I last looked.
Hopefully the bank stores a separate hash for each mask, generated at the time of password creation. Otherwise, itβs hard for me to imagine how this would be possible without saving the password in clear text.
If someone steals a hash for characters 1-4 they'll be able to brute force it. Only 10000x the cost of a single login. And then if you have the hash for characters 2-5...
Is this still the case? When living in Poland 15 years ago I had an account with WBK and they had this idiotic system where I had to write my password on a piece of paper with numbers below to be able to give the 3rd, 5th and 11th character. Goodbye password managers (at least the automatization part).
Then, suddenly, they got back to a normal login and password (I think I had the choice IIRC) but then I left the country.
Poland is a beautiful country, I lived in Krakow for a few years and it was A-WE-SOME.
What I'm more worried about is the system that some Polish banks use, called masked passwords over here. With this system, you're only required to enter certain characters of your password, but the set of required characters changes at each login. This exists to make key loggers much less effective. There's apparently some hashing going on (something to do with curves and polynomials), but I couldn't find more details when I last looked.