From owner-freebsd-isp Wed May 29 10: 4:40 2002 Delivered-To: freebsd-isp@freebsd.org Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by hub.freebsd.org (Postfix) with ESMTP id D553B37B81D for ; Wed, 29 May 2002 09:48:20 -0700 (PDT) Received: from [192.168.100.111] (gw.gerhardt-it.com [204.83.38.103]) by blue.gerhardt-it.com (Postfix) with ESMTP id 7760010026; Wed, 29 May 2002 10:47:05 -0600 (CST) User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Wed, 29 May 2002 10:46:59 -0600 Subject: Re: Web site security questions From: Scott Gerhardt To: Sean Farley , Justin Lundy Cc: Message-ID: In-Reply-To: <20020529105505.W92401-100000@thor.farley.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just a basic suggestion: If you want to store passwords you can do a few things to make it more difficult for the evil to steal them. Besides encrypting the DB entries you could limit potential exposure by doing something as simple as separating the card numbers as several different entries in separate tables/databases. You can also store the personal information that is require for authentication (expiry date and name) in different locations as well. I guess this could be called low-tech obfuscation. By doing this, the potential hacker will have to breach several DB's and then have to figure out how to assemble the pieces to make a valid credit card. You could also make it more difficult by adding bogus entries in the DB to confuse the hacker even further ;-) -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message