Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: storing SSNs, CCNs, password in the DB

from [Jeff Robertson] Network Security [Permanent Link]
Subject: RE: storing SSNs, CCNs, password in the DB
Date: Tue, 1 Mar 2005 09:31:59 -0500 
On the subject of MD5, isn't MD5 currently in better circumstances that
SHA-1, after this:

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html


Jeff Robertson
Manager of Web Application Security
Digital Insight



-----Original Message-----
From: Paul Johnston [mailto:paul@westpoint.ltd.uk]
Sent: Monday, February 28, 2005 04:58
To: Francesco
Cc: webappsec@securityfocus.com
Subject: Re: storing SSNs, CCNs, password in the DB


Hi,

You may be able to steal a trick from unix password files and 
site-step 
the problem.

Rather than storing those details, store a hash of them, 
using a secure 
hash algorithm. MD5 should be fine, despite the recent collision 
weakness. This allows you to check the incoming details, but 
an attacker 
cannot easily reconstruct the details from the stored data.

Regards,

Paul


Francesco wrote:


It's for a web-based financial application (users accessing 

credit-card

transaction information, signing in with their card number, 

PIN and last

4 of SSN) so we pretty much *have* to have that information 

in the DB to

compare at logon.
 


-- 
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], Jeremiah Grossman
Next by Date:  Preventing direct URL access in a J2EE environment, Kevin Conaway
Previous by Thread:  Re: storing SSNs, CCNs, password in the DB, Joseph Miller
Next by Thread:  RE: storing SSNs, CCNs, password in the DB, McAllister, Andrew
Indexes:  [Date] [Thread] [Top] [All Lists]