|
WebApp Sec
mailing list archives
Re: storing SSNs, CCNs, password in the DB
From: Adam Shostack <adam () homeport org>
Date: Sun, 27 Feb 2005 20:28:20 -0500
So, this will sound like pedantry, but it's worth starting from: The
most secure way is to not store them. Use them for what you need, and
then throw them away. With increasing numbers of laws coming into
effect if you store these sorts of data, it may be worth business
process analysis to see if you can discard data early.
If you don't have an SSN, you can't decide that it would make a good
password. (You also can't report on tax issues.)
Adam
On Sun, Feb 27, 2005 at 02:32:12PM -0800, Francesco wrote:
| What is the most secure way to store SSNs, CCNs, and passwords in the
| DB?
|
| Is this a good general policy?
|
| 1. If you need to be able to read the data back, the encrypt/decrypt
| with something like TDES, storing the keys in the registry.
|
| 2. If you don't need to read the data back and you just need to compare,
| then hash/salt with SHA1, storing the hash and salt in the DB.
|
| Francesco
 By Date 
By Thread
Current thread:
- RE: ISA Server and SQL Injection, (continued)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
- Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
- storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Andrew van der Stock (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Paul Johnston (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
|
Intro
