[AccessD] OT- I am a lucky winner??

Stuart Sanders stuart at pacific.net.hk
Fri Sep 26 11:56:30 CDT 2003 

Well... Since this might be vaguely on topic...

I can honestly say I don't know how a bank stores your pin number.  What I can
say is that neither a bank and its employees *may* not be able to get your pin
number except via the old fashioned brute force method.

The reason this might be considered on topic is because it uses a method which I
use in access for storing certain data ... Like user passwords for my light
security.

Hows does this work you say?  (well I hope someone is interested anyway)

There are algorithms that produce a 1 way irreversible hash of a string (or
number as the case may be).  So when you initialise or change a password, you
create the hash, and store the hash only, not the pin or password itself.

When you need to check for user authenticity the user enters the user name
(inserts the card) and then enters the password/pin.  You can verify whether the
password/pin is correct by running the same hash on it and then comparing the
result to the stored hash in the database.

Thus you have a method that enables you to "store" the pin/password without
actually being able to recover it except by a brute force method.  Ie to find
the correct password/pin you would have to enter something and then compare the
hashed result with the "correct" stored hash.

The are many of these algorithms, some being more secure than others.  A
relatively simple and commonly used one is md5.

Cheers

Stuart

> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Ron Allen
> Sent: Saturday, 27 September, 2003 12:42 AM
> To: Access Developers discussion and problem solving
> Subject: Re: [AccessD] OT- I am a lucky winner??
>
>
> Hi Jarad,
>
> Please don't take this personally, but I can't let this go
> by without comment.
>
> <rant>
> Why are there so many people who seem, at least, to take
> delight in pointing out completely insignificant and
> irrelevent flaws in other peoples statements? What purpose
> does this serve, other than possibly to make the person
> pointing out the flaw feel somehow superior?
>
> Yes, the bank, in the form of most of its employees, does
> not need to know your PIN. Of course, this is obvious. But
> the bank computers _do_ have to know your PIN for your ATM
> and debit cards to work. This is also obvious. As everyone
> on this list knows, those who work in the banks IT
> department almost certainly has access to the PIN data. So
> no matter how you cut it, the bank knows your PIN, period.
>
> The point is, who cares? What possible difference does it
> make to the discussion? Everyone with any common sense at
> all understood exactly what I meant, and what I said was
> valid. What was the reason for making that observation? It
> seems pretty damn pointless, not to mention ridiculously
> petty, to me.
>
> </rant>
>
> We now return you to your regularly scheduled Friday OT
> and maybe even business related discussions.
>
> Ron
>
>
>
> On Fri, 26 Sep 2003 11:27:55 -0500
>   "Huffman, Jarad B." <jbhuffman at mdh.org> wrote:
> >Actually, most banks don't even know your PIN.  They
> >don't need to.  If you
> >forget it, they will reset it.
> >
> >Jarad Huffman
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>

More information about the AccessD mailing list