I need to store a string of digits (0-9) of a fixed size in my database securely
ID: 652578 • Letter: I
Question
I need to store a string of digits (0-9) of a fixed size in my database securely.
I've already performed a rainbow table attack on a plain hash, and it broke it in a matter of seconds.
One option I had was to break the string into 2 or more parts and store them separately, within reason (i.e do not have the resources for multiple servers), but I feel like this will only delay an attacker a small amount.
The other option is using salted hashes, but I'm not sure if this will help in this case.
Does anyone have any suggestions?
Explanation / Answer
It'll be the same situation that NY City suffered some days ago: when you have little variability on your data, i.e., they have a fixed-small size, it'll always be fast to brute force.
You said that you'll have 9 digits, so anything I say below will be 100 times faster.
In that case, using any kind of hash will only delay the attack by some amount. If you use MD5 hash, some hardwares can calculate 28 Billion hashes/sec.
If you use a unique, random salt for each number, once the attacker finds our the salt (it's not secret, since it's stored in the database), he'll only need to calculate those hashes including the salt, and will take 1 sec for each number you have. No good.
Other hashes (SHA in general, Scrypt, etc and etc) will again slow things down, perhaps requiring more memory, but they won't do magic: in the end it'll be just a matter of time.
And what about changing your digits, for example encoding it so that it'll have letters on it? Still, won't solve your problem, because your data can only have 10 billion variations (in my hipotheses, your case might be even worst).
And what about making another table, with correspondence, that was a proposed solution to the NY City data? Won't do any good to you, since if someone is able to access your number, or their hashes, probably he'll be able to access those data too.