Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1305755210.5803.75.camel@quad>
Date: Wed, 18 May 2011 23:46:50 +0200
From: Per Thorsheim <per@...rsheim.net>
To: john-users@...ts.openwall.com, bartavelle@...il.com
Subject: Re: Help with 14 - 16 digit CC's stored in MD5 hash

On Wed, 2011-05-18 at 22:56 +0200, bartavelle wrote:
> Le 18/05/2011 20:46, Kevin Finisterre a écrit :
> > - Strong one-way hash functions (hashed indexes)
> 
> I suppose this should be some kind of HMAC to be even remotely useful.
> That way a simple database leak would not lead to an epic fail.
> 
> Just doing MD5 is incredibly stupid. Credit cards are mostly 16 digits,
> and as mentionned previously, have predictible first digits. Moreover,
> you can remove one thanks to luhn algorithm. Even with no knowledge of
> the first digits, you have a 10^15 keyspace. Oclhashcat + hd5970 =
> 4.4*10^9 tests/s, which means 63 hours of cracking (for a single hash).
> Of course this is way easier if you know the possible first digits.
> 
> (and PCI-DSS is not directly about making you secure)

But not even PCI-DSS says anything specific on which algorithm, key
lengths etc that you can or cannot use. Probably a good idea for such a
standard, but it does require just a bit more brains on the
implementation side of it all.

Trivia of the day: 
Sony PSN now requires password to be minimum alphanumeric length 8. They
protect some personal ID, as well as parts of your credit card details. 

PCI-DSS v2, released Oct 2010, requires minimum alphanumeric length 7.
PCI-DSS protects all your credit card details, as well as other types of
information about you from a financial perspective.

In addition the password policy requirement descriptions of PCI-DSS
(v1.2) are inconsistent, as I've blogged about earlier. Currently
searching for updates in that area in v2.

--
Best regards,
Per Thorsheim
CISA, CISM, CISSP-ISSAP

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.