Date: Wed, 18 May 2011 18:34:31 -0400 From: Brad Tilley <brad@...ystems.com> To: john-users@...ts.openwall.com Subject: Re: Help with 14 - 16 digit CC's stored in MD5 hash On 05/18/2011 05:46 PM, Per Thorsheim wrote: > On Wed, 2011-05-18 at 22:56 +0200, bartavelle wrote: >> Le 18/05/2011 20:46, Kevin Finisterre a écrit : >>> - Strong one-way hash functions (hashed indexes) >> >> I suppose this should be some kind of HMAC to be even remotely useful. >> That way a simple database leak would not lead to an epic fail. >> >> Just doing MD5 is incredibly stupid. Credit cards are mostly 16 digits, >> and as mentionned previously, have predictible first digits. Moreover, >> you can remove one thanks to luhn algorithm. Even with no knowledge of >> the first digits, you have a 10^15 keyspace. Oclhashcat + hd5970 = >> 4.4*10^9 tests/s, which means 63 hours of cracking (for a single hash). >> Of course this is way easier if you know the possible first digits. >> >> (and PCI-DSS is not directly about making you secure) > > But not even PCI-DSS says anything specific on which algorithm, key > lengths etc that you can or cannot use. Probably a good idea for such a > standard, but it does require just a bit more brains on the > implementation side of it all. > > Trivia of the day: > Sony PSN now requires password to be minimum alphanumeric length 8. They > protect some personal ID, as well as parts of your credit card details. > > PCI-DSS v2, released Oct 2010, requires minimum alphanumeric length 7. > PCI-DSS protects all your credit card details, as well as other types of > information about you from a financial perspective. This is true. The password "soccer1" (all lower case) is a valid PCI-DSS password. > In addition the password policy requirement descriptions of PCI-DSS > (v1.2) are inconsistent, as I've blogged about earlier. Currently > searching for updates in that area in v2. > > -- > Best regards, > Per Thorsheim > CISA, CISM, CISSP-ISSAP
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.