WebApp Sec mailing list archives
Re: storing SSNs, CCNs, password in the DB
From: Adam Shostack <adam () homeport org>
Date: Sun, 27 Feb 2005 20:28:20 -0500
So, this will sound like pedantry, but it's worth starting from: The most secure way is to not store them. Use them for what you need, and then throw them away. With increasing numbers of laws coming into effect if you store these sorts of data, it may be worth business process analysis to see if you can discard data early. If you don't have an SSN, you can't decide that it would make a good password. (You also can't report on tax issues.) Adam On Sun, Feb 27, 2005 at 02:32:12PM -0800, Francesco wrote: | What is the most secure way to store SSNs, CCNs, and passwords in the | DB? | | Is this a good general policy? | | 1. If you need to be able to read the data back, the encrypt/decrypt | with something like TDES, storing the keys in the registry. | | 2. If you don't need to read the data back and you just need to compare, | then hash/salt with SHA1, storing the hash and salt in the DB. | | Francesco
Current thread:
- RE: ISA Server and SQL Injection, (continued)
- RE: ISA Server and SQL Injection Jeff Robertson (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Sebastien Deleersnyder (Feb 19)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
- Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
- storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Andrew van der Stock (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Paul Johnston (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
- RE: ISA Server and SQL Injection Jeff Robertson (Feb 17)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Feb 28)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)