Hashing Credit Card Numbers: Revisited Again
I recently had to revisit the estimates I provided in our white paper on brute forcing credit card hashes since new techniques were published that can speed the brute forcing up by at least a factor of 5 using off-the-shelf video cards. Well, a month later I am having to revise the estimates again. Nick Breese of New Zealand has published a paper at Kiwicon on using a PlayStation 3 to crack hashes. His estimates are about 1.4 billion hashes per second for MD5. Our proof of concept code running at about 2 million hashes per second seems kind of slow now. Probably at least 2 billion hashes per second is feasible in the near future with readily available hardware and source code.
Storing credit cards using a simple single pass of a hash algorithm, even when salted, is fool-hardy. It is just too easy to brute force the credit card numbers if the hashes are compromised. Based on the potential value of the card numbers, there is more than enough financial incentive to buy a $500 PlayStation 3 and develop a little code.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strongest available cryptographic hash functions, large salt values, and multiple iterations.