in reply to Re^3: Paranoid about web application security
in thread Paranoid about web application security

This strikes me as a poor security trade-off. It reduces a rather unlikely threat (you are using SSL right?) in exchange for greatly increasing the value of your database to an attacker.

Amen.

Not to mention the additional risk of a "trusted" insider getting access to the database. Most fraud is an inside job rather than the results of the wily hacker.

If you really have to store the credit card numbers then for goodness sake don't store them in plain text.

For example XOR them with the users password so they can't be accessed on mass, and only decoded on an individual basis when the user is logged on.

(I'm naturally assuming that you'll only be storing a hash of the user password.)

  • Comment on Re^4: Paranoid about web application security

Replies are listed 'Best First'.
Re^5: Paranoid about web application security
by samtregar (Abbot) on Aug 10, 2005 at 17:35 UTC
    I was with you until the XOR. Please, use a real encryption algorithm! It's so easy to use strong encryption (via Crypt::CBC and Crypt::Blowfish or any of the others) that there's really no excuse not to.

    -sam

[reply]
      I was with you until the XOR. Please, use a real encryption algorithm! It's so easy to use strong encryption (via Crypt::CBC and Crypt::Blowfish or any of the others) that there's really no excuse not to.

      Good point. My bad.

[reply]

In Section Seekers of Perl Wisdom