Date: Wed, 18 May 2011 23:46:50 +0200 From: Per Thorsheim <per@...rsheim.net> To: john-users@...ts.openwall.com, bartavelle@...il.com Subject: Re: Help with 14 - 16 digit CC's stored in MD5 hash On Wed, 2011-05-18 at 22:56 +0200, bartavelle wrote: > Le 18/05/2011 20:46, Kevin Finisterre a écrit : > > - Strong one-way hash functions (hashed indexes) > > I suppose this should be some kind of HMAC to be even remotely useful. > That way a simple database leak would not lead to an epic fail. > > Just doing MD5 is incredibly stupid. Credit cards are mostly 16 digits, > and as mentionned previously, have predictible first digits. Moreover, > you can remove one thanks to luhn algorithm. Even with no knowledge of > the first digits, you have a 10^15 keyspace. Oclhashcat + hd5970 = > 4.4*10^9 tests/s, which means 63 hours of cracking (for a single hash). > Of course this is way easier if you know the possible first digits. > > (and PCI-DSS is not directly about making you secure) But not even PCI-DSS says anything specific on which algorithm, key lengths etc that you can or cannot use. Probably a good idea for such a standard, but it does require just a bit more brains on the implementation side of it all. Trivia of the day: Sony PSN now requires password to be minimum alphanumeric length 8. They protect some personal ID, as well as parts of your credit card details. PCI-DSS v2, released Oct 2010, requires minimum alphanumeric length 7. PCI-DSS protects all your credit card details, as well as other types of information about you from a financial perspective. In addition the password policy requirement descriptions of PCI-DSS (v1.2) are inconsistent, as I've blogged about earlier. Currently searching for updates in that area in v2. -- Best regards, Per Thorsheim CISA, CISM, CISSP-ISSAP Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.