This has been at the back of my mind for years now. Every company I've worked with stored MD5 hashed credit card numbers in the DB so "search by CC number" works. As far as I know no one has released a rainbow table of all of the common credit card number prefixes hashed, but its getting way too easy to do so. 33.1 billions hashes per second.... yikes.
http://blog.zorinaq.com/?e=42
Back of the envelope, this system could calculate hashes for all of the Mastercard or Visa prefixes in 20 days or so.. faster if it concentrates on the most common BIN numbers. Discover cards would take less than a week.
So reconsider if you really need a "search by CC number" function. If you do switch to a more computationally expensive hash. Consider adding a site specific salt so an attacker needs to generate a unique set of tables for your site.
http://blog.zorinaq.com/?e=42
Back of the envelope, this system could calculate hashes for all of the Mastercard or Visa prefixes in 20 days or so.. faster if it concentrates on the most common BIN numbers. Discover cards would take less than a week.
So reconsider if you really need a "search by CC number" function. If you do switch to a more computationally expensive hash. Consider adding a site specific salt so an attacker needs to generate a unique set of tables for your site.
