Banking-Grade Credential Stuffing: The Futility of Partial Password Validation

A recent blog post by Junade Ali discusses the insecurity of Partial Password Validation, a practice used by many websites including banks and services that contain sensitive data. This method involves prompting users to provide three random characters from their passwords to validate account ownership. However, this approach can lead to weak password management and increased vulnerability to credential stuffing attacks. Ali conducted simulations using a database of 488,129 breached passwords and found that the presence of only three characters of a password is sufficient to let attackers breach a significant proportion of such accounts. The post argues that Partial Password Validation does not effectively protect against keyloggers and instead recommends using Two Factor Authentication or Multi Factor Authentication for enhanced security.