hal9...@panix.com (Robert A. Rosenberg) writes: > What is done with the Sensitive Data is importance. In many cases, > such as passwords, there is no need to know the actual data but only > to compare it with some supplied value to see that it matches. Thus a > stored one-way hashed value is secured since there is no way to unhash > it since all that is needed is to hash the value you think it is and > compare the two hashes.
re: http://www.garlic.com/~lynn/2015.html#96 Anthem Healthcare Hacked an issue is "something you know" shared secrets for authentication, pins, passwords, as well other information you might know that can be used for authentication, "mother's maiden name", "social security number", "date-of-birth", etc ... ... but skimming attacks can occur in the infrastructure before the data is hashed. also hashing doesn't work if working with human operators that are doing purely visual compare. one of the worst is financial industry ... where the "account number" tends to be "dual-use" ... essentially both for authentication, but also required in dozen of business processes at millions of locations around the planet (security requirements that authentication info is kept totally confidential and *NEVER* divulged, conflicting requirements when same information is also required for large number of business processes) ... harvesting can be breaches at backends, at any of the business processes, any of the transmission points and at the originating front-ends. hash for password repositories has been used for some time ... storing hashed password first done in unix in early 70s: http://en.wikipedia.org/wiki/Password#History_of_passwords trivia ... above also mentions CTSS: http://en.wikipedia.org/wiki/Compatible_Time-Sharing_System then some of the CTSS people go to the science center on 4th flr 545 tech sq ... some past posts http://www.garlic.com/~lynn/subtopic.html#545tech others go to the 5th flr and do Multics http://en.wikipedia.org/wiki/Multics some of the people working on Multics return home and do simplified version that they call Unix. http://en.wikipedia.org/wiki/Unix#History above also references "Greg Chesson" ... who I worked with in the 80s, when I was on the XTP technical advisory board. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
