Re: random character checking at logon

[Tim <tim-security () sentinelchicken org>]

> We have a policy for internet based login that passwords shouldn't be
> entered in full. Random characters from the password are prompted for-
> e.g. 2nd, 3rd, last.   

^^^^^ I think your problem lies in this. ^^^^^

How many random digits are required each time?  Especially on the web,
it sounds like this is just asking for an online brute-force attack,
unless it is implemented *very* carefully.  Even then, it still sounds
like a bad idea.

tim