When I log into my ISA, I get asked for three random digits from my password. Weirdly enough, I managed to set my password wrongly when I set up the account, so don’t actually know to the last digit of my password.
Whenever it asks me for that digit on logon/trade I just click cancel and it asks for another 3 random characters ( which would generally not include the last digit, but if they do I just press cancel again to regenerate again). I type in the password and continue.
This idea that I essentially get to choose which digits of my password I supply ( or strictly speaking the ones I don’t supply) seems inherently insecure. I thought the whole point of these partial passwords was that you are never typing in your full password, and hence anyone observing you ( physically or electronically) has very little chance of gaining the info they need to supply the requested digits when they try to login themselves. If you give them the option of declining requests repeatedly until they get asked for the password they DO know, then surely that is less secure…
Clearly the scenario I have painted isn’t too much of an issue given the numbers involved. But the principle remains true, and becomes more likely if for example someone observed 6 characters out of a 12 digit password.
Whaddaya think?