Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 May 2011 18:34:31 -0400
From: Brad Tilley <>
Subject: Re: Help with 14 - 16 digit CC's stored in MD5 hash

On 05/18/2011 05:46 PM, Per Thorsheim wrote:
> On Wed, 2011-05-18 at 22:56 +0200, bartavelle wrote:
>> Le 18/05/2011 20:46, Kevin Finisterre a écrit :
>>> - Strong one-way hash functions (hashed indexes)
>> I suppose this should be some kind of HMAC to be even remotely useful.
>> That way a simple database leak would not lead to an epic fail.
>> Just doing MD5 is incredibly stupid. Credit cards are mostly 16 digits,
>> and as mentionned previously, have predictible first digits. Moreover,
>> you can remove one thanks to luhn algorithm. Even with no knowledge of
>> the first digits, you have a 10^15 keyspace. Oclhashcat + hd5970 =
>> 4.4*10^9 tests/s, which means 63 hours of cracking (for a single hash).
>> Of course this is way easier if you know the possible first digits.
>> (and PCI-DSS is not directly about making you secure)
> But not even PCI-DSS says anything specific on which algorithm, key
> lengths etc that you can or cannot use. Probably a good idea for such a
> standard, but it does require just a bit more brains on the
> implementation side of it all.
> Trivia of the day: 
> Sony PSN now requires password to be minimum alphanumeric length 8. They
> protect some personal ID, as well as parts of your credit card details. 
> PCI-DSS v2, released Oct 2010, requires minimum alphanumeric length 7.
> PCI-DSS protects all your credit card details, as well as other types of
> information about you from a financial perspective.

This is true. The password "soccer1" (all lower case) is a valid PCI-DSS

> In addition the password policy requirement descriptions of PCI-DSS
> (v1.2) are inconsistent, as I've blogged about earlier. Currently
> searching for updates in that area in v2.
> --
> Best regards,
> Per Thorsheim

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.