John Colby
jcolby at colbyconsulting.com
Fri Sep 26 12:26:39 CDT 2003
Wow, you have this one way hash algorithm? Would you share it? John W. Colby www.colbyconsulting.com -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Stuart Sanders Sent: Friday, September 26, 2003 12:57 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] OT- I am a lucky winner?? Well... Since this might be vaguely on topic... I can honestly say I don't know how a bank stores your pin number. What I can say is that neither a bank and its employees *may* not be able to get your pin number except via the old fashioned brute force method. The reason this might be considered on topic is because it uses a method which I use in access for storing certain data ... Like user passwords for my light security. Hows does this work you say? (well I hope someone is interested anyway) There are algorithms that produce a 1 way irreversible hash of a string (or number as the case may be). So when you initialise or change a password, you create the hash, and store the hash only, not the pin or password itself. When you need to check for user authenticity the user enters the user name (inserts the card) and then enters the password/pin. You can verify whether the password/pin is correct by running the same hash on it and then comparing the result to the stored hash in the database. Thus you have a method that enables you to "store" the pin/password without actually being able to recover it except by a brute force method. Ie to find the correct password/pin you would have to enter something and then compare the hashed result with the "correct" stored hash. The are many of these algorithms, some being more secure than others. A relatively simple and commonly used one is md5. Cheers Stuart > -----Original Message----- > From: accessd-bounces at databaseadvisors.com > [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Ron Allen > Sent: Saturday, 27 September, 2003 12:42 AM > To: Access Developers discussion and problem solving > Subject: Re: [AccessD] OT- I am a lucky winner?? > > > Hi Jarad, > > Please don't take this personally, but I can't let this go > by without comment. > > <rant> > Why are there so many people who seem, at least, to take > delight in pointing out completely insignificant and > irrelevent flaws in other peoples statements? What purpose > does this serve, other than possibly to make the person > pointing out the flaw feel somehow superior? > > Yes, the bank, in the form of most of its employees, does > not need to know your PIN. Of course, this is obvious. But > the bank computers _do_ have to know your PIN for your ATM > and debit cards to work. This is also obvious. As everyone > on this list knows, those who work in the banks IT > department almost certainly has access to the PIN data. So > no matter how you cut it, the bank knows your PIN, period. > > The point is, who cares? What possible difference does it > make to the discussion? Everyone with any common sense at > all understood exactly what I meant, and what I said was > valid. What was the reason for making that observation? It > seems pretty damn pointless, not to mention ridiculously > petty, to me. > > </rant> > > We now return you to your regularly scheduled Friday OT > and maybe even business related discussions. > > Ron > > > > On Fri, 26 Sep 2003 11:27:55 -0500 > "Huffman, Jarad B." <jbhuffman at mdh.org> wrote: > >Actually, most banks don't even know your PIN. They > >don't need to. If you > >forget it, they will reset it. > > > >Jarad Huffman > _______________________________________________ > AccessD mailing list > AccessD at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/accessd > Website: http://www.databaseadvisors.com > _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com