Hashing Credit Card Numbers: Revisited

This past March, I published a white paper looking at how some applications hash credit card numbers and how vulnerable these hashes are to brute forcing.  I developed a proof of concept to roughly estimate the timings (about 2 million hashes per second).  Looking ahead, I estimated with additional optimization, multi-threading, and faster processors probably 50 million hashes per second is achievable.

Well, I was probably off by a factor of at least 5 on my future estimate.  Elcomsoft announced this week that it has filed a patent for a technique to use the "massively parallel processing" capabilities of the GPU on a video card to brute force passwords.  Others have also been doing research in this area.

A better estimate is at least 200 million hashes per second for a single pass of SHA-1 or MD-5 and I wouldn't be surprised if someone could achieve 500 million hashes per second in the near future.  This would allow someone to brute force all possible unsalted SHA-1 hashes in just 10 days rather than 3 years.  Adding intelligence with regards to brands and common issuing bank prefixes, most of the brute force times are reduced to minutes or seconds.  Storing plain-text digits (prefix and/or last 4) makes brute forcing a trivial exercise.

When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strong cryptographic hash functions, large salt values, and multiple iterations.

 Share this post