Geek Answers Handbook

4-digit password / pincode encryption - easy to crack?

I am currently working on a service that requires users to select a 4-digit password / contact, because it is a mobile service. I will encrypt these passwords with 256 or 2048 bit encryption and it will be hashed. The account is locked after 4 incorrect entries and can only be entered by mobile phone. Would it be difficult to crack these PIN codes? I ask about this because confidential information is stored. The database is connected to the web application, the application is downloaded to the phone using twilio. I am most afraid that the database is being hacked over the Internet. What would be a good way to protect sensitive data?

+4
source share
5 answers

If someone takes possession of the database, you would pretty much screw up:

If you simply encrypt 4-digit passwords, an attacker can simply build a table of 10,000 possible encrypted strings and can trivially decrypt PIN codes.

If you use salt strings (and do not encrypt the PIN, but PIN + salt and store the encrypted (PIN + salt) along with the salt), people should try for each password, but still there are only 10,000 possibilities for each password (which not much).

This means that yes, of course, you must keep the database offline. (If the web application is accessible only through twilio, you can reject connections from any other IP range).

+6
source

Since you are using twilio, just make sure twilo only talks to your web service using a secure protocol and rejects any requests that you are not sure come from a trusted source (i.e. twilo). No real need for a pin at all.

This is a huge web page on how to configure ssl between your web server and twilo. It even has a php example. http://www.twilio.com/docs/security

+2
source

If you use PKCS # 1 1.5 or 2.0 RSA encryption ( view standards ), you will also encrypt a random add-on. This means that during transit PIN cannot be compared if the filling is kept secret and really random (this is not a salt that should be made public).

As for the database, it would be nice to get it out of normal operations as much as possible. Create a simple service that simply checks the PIN code after decryption, make sure that it does not have a buffer overflow, etc., And, if possible, use a different computer and access rights than the production server. Actually check this part, since the interface is small, it should not be difficult.

If you and the phones are ready for this, you can try ECC, but this is not for the meek. RSA encryption usually uses a small public metric (0x010001 recommended), so it’s faster than ECC for the phone. On the server (and during key creation), ECC is much faster. I would not recommend symmetric cryptography (AES / 3DES) for this.

Oh, and include the encryption public key in the application (for implicit trust), do not send it from the server. Keep the secret key secret and unavailable for anything other than the service already mentioned.

+2
source

The interface you are describing is safe for me. It is safe enough for ATMs!

Are encrypted PINs easily cracked? Yes, there are only 10,000 possible combinations and a rainbow table can be generated from all possible encrypted values ​​if you are not salt . However, this will require access to encrypted PIN codes, which means that the attacker already has a copy of your database.

Therefore, you really need to ensure the security of your database server. There are many variables that can make it unsafe, so this is a big question. Instead, you can rely on third-party solutions like Amazon S3 or others and focus on coding instead of security. Let them do the hard work!

+1
source

To prevent password cracking, you should use good quality password technology. Check out the Wikipedia article to learn more about salt. Salt article

0
source

More articles:


All Articles