WebApp Sec mailing list archives

RE: storing SSNs, CCNs, password in the DB

From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Tue, 1 Mar 2005 09:31:59 -0500

On the subject of MD5, isn't MD5 currently in better circumstances that
SHA-1, after this:

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html


Jeff Robertson
Manager of Web Application Security
Digital Insight

-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk]
Sent: Monday, February 28, 2005 04:58
To: Francesco
Cc: webappsec () securityfocus com
Subject: Re: storing SSNs, CCNs, password in the DB

Hi,

You may be able to steal a trick from unix password files and 
site-step 
the problem.

Rather than storing those details, store a hash of them, 
using a secure 
hash algorithm. MD5 should be fine, despite the recent collision 
weakness. This allows you to check the incoming details, but 
an attacker 
cannot easily reconstruct the details from the stored data.

Regards,

Paul

Francesco wrote:

It's for a web-based financial application (users accessing

credit-card

transaction information, signing in with their card number,

PIN and last

4 of SSN) so we pretty much *have* to have that information

in the DB to

compare at logon.

-- 
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk

Current thread:

RE: storing SSNs, CCNs, password in the DB Jeff Robertson (Mar 01)
- <Possible follow-ups>
- RE: storing SSNs, CCNs, password in the DB McAllister, Andrew (Mar 01)
- RE: storing SSNs, CCNs, password in the DB Wall, Kevin (Mar 01)