

Ask HN: Is there a vulnerability diff stealing encrypted PINs v. Passwords - relaunched

In the wake of the suspicion that encrypted customer PINs were stolen from Target, I am curious to the differences in best practices, if any, between encrypting PINs v. passwords. Naively, PINs are 4[1-9] numbers, which makes any type of rainbow table approach based-on a simple hash, much smaller than 8-16[52+] given caps sensitivity and special chars. However, the nature of PINs is such that you would have to try and fail &#x2F; succeed in a store. So, even with a single hashed + salt, you might need an impractical number of people &#x2F; attempts to test for cracking the encryption.&lt;p&gt;Does anyone with insight into PIN &#x2F; password security have any thoughts?
======
jere
I'm not aware of any best practices, but I'll speculate.

>Naively, PINs are 4[1-9] numbers, which makes any type of rainbow table
approach based-on a simple hash, much smaller than 8-16[52+] given caps
sensitivity and special chars.

Yea, you're talking about 10k combinations. That's nothing at all. I don't
think rainbow tables are even applicable. Even if they were salted, you'd be
able to crack a hash in a split second. The only thing I could see mitigating
this is if the crypt function was so ungodly slow that that doing a single
hash took 10 seconds (that's a 10s checkout). But still you could crack one in
half a day... enough time to do damage control if the data is stolen I
suppose.

Probably the most important thing is a "lock out" mechanism in store. After a
small number of incorrect tries, your credit card company locks your card and
calls you to see what's up. I assume they already do this.

