On Sat, 19 Mar 2005 13:34:53 EST, Atom Smasher said: > tell ya what... here's my SSN hashed with a salt: > =09e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440 > > as soon as you recover my SSN, just let me know. Tell you what - give me the salt and the hash algorithm, and it will be quick work indeed. Remember that the company probably needs an *invertible* function as they need to be able to access the original value, so the trick of "hash the SSN and see if you get the same to compare for equality" isn't usable. You can use a one-way function if the only question is "Is 109-00-4368 the SSN for Customer XYZ?". If you need to be able to answer "What is Customer XYZ's SSN?" you need an invertible function. And if you ever do a database JOIN based on SSN, you need the SSN. And the sad fact is that if the company's servers are compromised sufficiently to recover the hashed SSN, they're almost certainly compromised sufficiently to allow the theft of the software that handles the forward and reverse hashing. So considering the salt and the algorithm secure if the hash has been compromised is probably a bad idea..
Attachment:
pgp00069.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/