WebApp Sec mailing list archives
RE: storing SSNs, CCNs, password in the DB
From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Tue, 1 Mar 2005 09:31:59 -0500
On the subject of MD5, isn't MD5 currently in better circumstances that SHA-1, after this: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Jeff Robertson Manager of Web Application Security Digital Insight
-----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Monday, February 28, 2005 04:58 To: Francesco Cc: webappsec () securityfocus com Subject: Re: storing SSNs, CCNs, password in the DB Hi, You may be able to steal a trick from unix password files and site-step the problem. Rather than storing those details, store a hash of them, using a secure hash algorithm. MD5 should be fine, despite the recent collision weakness. This allows you to check the incoming details, but an attacker cannot easily reconstruct the details from the stored data. Regards, Paul Francesco wrote:It's for a web-based financial application (users accessingcredit-cardtransaction information, signing in with their card number,PIN and last4 of SSN) so we pretty much *have* to have that informationin the DB tocompare at logon.-- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- RE: storing SSNs, CCNs, password in the DB Jeff Robertson (Mar 01)
- <Possible follow-ups>
- RE: storing SSNs, CCNs, password in the DB McAllister, Andrew (Mar 01)
- RE: storing SSNs, CCNs, password in the DB Wall, Kevin (Mar 01)