Is this OK encryption?

[Muse]

I have experience (professionally) as a database programmer. I keep my own data, powered/managed by my own code. Mostly, I don't keep sensitive data, my wont is to keep hints and only I know what those hints mean.

Sometimes my credit cards are elsewhere, I'd need to go downstairs to get my wallet to access them. So, I developed a system where I encrypt the numbers, expiry dates, CVV into a table. The encryption is done by shifting each value (e.g. 3, 9, 4, /, etc.) by an amount commensurate with that value's place in a secret "word." I don't keep that word in data, it's in my head. No one knows that word but me. In addition, each CC number, etc. is encrypted by its own word. However, I am now using the same word for all. Is this OK encryption or weak?

 

[nakedfrog]

Traversing stairs is good for you, and more secure
That said, where is this data stored? Is it externally accessible?

 

[deadlyapp]

With enough analysis of various numbers in their encrypted state, and some understanding of the underlying data (eg credit card prefix) someone could theoretically break your encryption without knowing your "key". With that said, unless you are an extremely high value target, you're pretty safe and there are plenty of other methods to determine your credit card numbers that are easier than trying to break a basic encryption with a hidden key.

 

[tynopik]

who are you trying to stop?
professionals? practically worthless
kids? more than enough (of course the better solution is to not give kids access to your private files in the first place)

 

[repoman0]

Basically a one time pad that's been used more than once, so totally breakable with some effort. Will anybody actually bother to break it? Probably not. Intelligence agencies trying to decipher encrypted messages from adversaries will spend the resources necessary to break reused one time pad messages but your average hacker who gets his hands on that file will not.

edit: At this point you might as well use an encrypted keepass database or similar to just write your numbers in. If somebody gets their hands on those files, they are practically unbreakable without a hundred years of compute time, and you still only have to remember your one password.

 

[IHateMyJob2004]

That is pretty bad encryption.

Real encryption with salting! That's the way to go! Salting is nice because every time you encrypt, the encrypt string will be different.

 

[IronWing]

My encryption method is fullproof, foolproof, and can defeat the gods. I just write stuff down using my really crappy handwriting.

 

[zinfamous]

All of my passwords are contained on a microdot that is hidden within a small pill that I store in my urethra.

 

[IronWing]

All of my passwords are contained on a microdot that is hidden within a small pill that I store in my urethra.

I thought that was just a gonorrhea scar?

 

[PottedMeat]

All of my passwords are contained on a microdot that is hidden within a small pill that I store in my urethra.

I thought that was just a gonorrhea scar?

hey isn't L&R stuff supposed to stay over there?

 

[pauldun170]

I have experience (professionally) as a database programmer. I keep my own data, powered/managed by my own code. Mostly, I don't keep sensitive data, my wont is to keep hints and only I know what those hints mean.

Sometimes my credit cards are elsewhere, I'd need to go downstairs to get my wallet to access them. So, I developed a system where I encrypt the numbers, expiry dates, CVV into a table. The encryption is done by shifting each value (e.g. 3, 9, 4, /, etc.) by an amount commensurate with that value's place in a secret "word." I don't keep that word in data, it's in my head. No one knows that word but me. In addition, each CC number, etc. is encrypted by its own word. However, I am now using the same word for all. Is this OK encryption or weak?

That might be strong encryption if it were 1918.


https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-encryption
https://www.red-gate.com/simple-tal...s-new-in-oracle-12c-database-security-part-1/

You can probably find comparable documentation for others including NoSQL db's like MongoDB or HBase or the new shiney things all the startup kids are embracing

 

[pauldun170]

That is pretty bad encryption.

Real encryption with salting! That's the way to go! Salting is nice because every time you encrypt, the encrypt string will be different.

Unfortunately, it can lead to high blood pressure.

 

[BxgJ]

My encryption method is fullproof, foolproof, and can defeat the gods. I just write stuff down using my really crappy handwriting.

If I use this method, there's a strong chance even I can't decipher it later

 

[Platypus]

Very weak.

 

[Genx87]

I store my important files on a secret website available from a main page in the lower right hand corner in the form of pi. If you mouse over this symbol it opens up a bonanza of information. Luckily most people never notice the secret link.

 

[Elixer]

That is pretty bad encryption.

Real encryption with salting! That's the way to go! Salting is nice because every time you encrypt, the encrypt string will be different.

OP is on a low-sodium diet though!

OP, yeah, that is a weak cipher, you should never have all that information in one place.

 

[lxskllr]

The answer to "Is my homebrew encryption good?" is "No" 99.x% of the time.

 

[Carson Dyle]

Sometimes my credit cards are elsewhere, I'd need to go downstairs to get my wallet to access them.

Huh. I write down my credit card numbers on a piece of paper hidden in a drawer near my computer. So far, nobody has hacked their way into it.

Oh, and get this: I have my debit card PIN number written somewhere in my wallet.

 

[Muse]

Traversing stairs is good for you, and more secure
That said, where is this data stored? Is it externally accessible?

That didn't work out so well for Dustin Johnson before the Masters last year.

No, none of the data should be externally accessible, at least not at the present time. It's on my LAN (NAS), also on my local machines. I also have it on thumb drives, also on HDs I keep off site for added assurance I won't lose data that's of importance to me. However, I don't have any cloud type stuff going on.

Really, I think my system is pretty opaque. I have over 200 tables and no one would know which has the CC numbers, it doesn't have an obvious name. I think it would take a major intelligence effort to tease out anything useful to anybody in terms of ripping me off.

Huh. I write down my credit card numbers on a piece of paper hidden in a drawer near my computer. So far, nobody has hacked their way into it.

Oh, and get this: I have my debit card PIN number written somewhere in my wallet.

I have a few things written on a piece of paper in my wallet but not my PIN. That lives in my head only.

 

[Mark R]

This encryption system was considered unbreakable at the time it was invented, and for some time afterwards, such that it became legendary and known as "the undecipherable cipher". That, however, was in 1553 and while it took 300 years for encryption theory to discover how to break it, things have progressed since then, such that this type of encryption can easily be broken by hand. I've successfully completed challenges to decrypt some ciphertext without the key (these turned up in a school magazine, and one was rather harder than expected, because there was a typo in the ciphertext causing it to go out of sync with the code word).

More recently, I have seen this encryption scheme used for a hospital's electronic medical record. They used this scheme to encrypt the login password; the key was the username. For some unknown reason, presumably for speed, the client software downloaded the users table from the database server and stored it cached as a CSV file on the client computer.

That aside, if you are using a different key for each card and not reusing keys, then you have something close to a one time pad. Of course, there are some further weaknesses due to the limited distribution of numbers at certain positions in the exp date. If the word is, in fact, a dictionary word, then this could significantly weaken the scheme.

 

[brianmanahan]

 

[Darwin333]

All of my passwords are contained on a microdot that is hidden within a small pill that I store in my urethra.

So when you beat off you have to go through your splooge to find the microdot and reinsert it? And BJs are definitely out of the question I guess.

 

[IronWing]

And BJs are definitely out of the question I guess.

"I have a secret I'd like to share."

 

[Exterous]

I mean I wouldn't worry about it too much given how insecure company payment records have been shown to be and the zero liability on most credit cards.

Real encryption with salting!

Ok I put all my credit cards in my can of Morton's salt. I should be safe now right?

"I have a secret I'd like to share."

I feel like it would just be cheaper to continue to pay a prostitute cash than give her all my credit card information

 

[Red Squirrel]

Would be better to instead pass the data through an encryption function such as AES256 from whatever language you coded in. That's basically what I did for my password manager written in php. Though I need to enhance it, right now the password is the key, and that's not really the right way of doing it and was meant as a temporary measure until I figure out the proper way and then never ended up changing it. Someone would need to hack into my home network to get it and if that happens I have bigger problems to worry about.