WebApp Sec mailing list archives
Re: storing SSNs, CCNs, password in the DB
From: "Francesco" <francesco () blackcoil com>
Date: Sun, 27 Feb 2005 18:08:09 -0800
It's for a web-based financial application (users accessing credit-card transaction information, signing in with their card number, PIN and last 4 of SSN) so we pretty much *have* to have that information in the DB to compare at logon. Francesco On Sun, 27 Feb 2005 20:28:20 -0500, "Adam Shostack" <adam () homeport org> said:
So, this will sound like pedantry, but it's worth starting from: The most secure way is to not store them. Use them for what you need, and then throw them away. With increasing numbers of laws coming into effect if you store these sorts of data, it may be worth business process analysis to see if you can discard data early. If you don't have an SSN, you can't decide that it would make a good password. (You also can't report on tax issues.) Adam On Sun, Feb 27, 2005 at 02:32:12PM -0800, Francesco wrote: | What is the most secure way to store SSNs, CCNs, and passwords in the | DB? | | Is this a good general policy? | | 1. If you need to be able to read the data back, the encrypt/decrypt | with something like TDES, storing the keys in the registry. | | 2. If you don't need to read the data back and you just need to compare, | then hash/salt with SHA1, storing the hash and salt in the DB. | | Francesco
Current thread:
- Re: ISA Server and SQL Injection, (continued)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Sebastien Deleersnyder (Feb 19)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
- Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
- storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Andrew van der Stock (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Paul Johnston (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Feb 28)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)