Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 May 2011 14:46:15 -0400
From: Kevin Finisterre <kf@...italmunition.com>
To: john-users@...ts.openwall.com
Subject: Re: Help with 14 - 16 digit CC's stored in MD5 hash

Dually noted. Unfortunately the practice of using MD5 to hash a CC seems to fall within the PCI wording: 

"PCI DSS Requirement 3.4 –

Render [credit card numbers], at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

- Strong one-way hash functions (hashed indexes)
- Truncation
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key management processes and procedures"

In the bigger picture I suppose the request in this particular case is for the greater good... I do see the potential for the previously mentioned danger. The real danger perhaps lies in the fact that vendors have taken comfort in the practice all the while claiming to be following PCI compliance guidelines. I am making an effort to highlight how silly this practice is for someone that is making use of one such product. 

Thanks in advance. 
-KF

On May 18, 2011, at 2:14 PM, RB wrote:

> An interesting problem, but one fraught with danger for both requester
> and helper.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.