Dear $LOCALBANK That I Use
Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification.
No thanks; No love
-Arthur
Banks without good security? Pfft, next you’ll say that Mac’s aren’t secure!
/sarcasm off
On one hand, I was really surprised when Bank Of America/Fleet/BankBoston/BayBank went through some merger and sent me a letter with my PIN in it.
On the other hand, would one-way encryption really help any? If you get a hold of the encrypted passwords and know the algorithm, even if it’s a custom algorithm and a custom salt for each and every account, it’s trivial to run through the 10^6 combinations.
(As another aisde: I first set up my account with an 8-digit pin. Classmates pointed out that you only needed the first 4 digits, and sure enough you did. But after one of the mergers, it changed to needing the first six characters, so I had to re-learn the mnemonic I used to set it up, since I hadn’t used characters 5 & 6 in years.
)
Now I remember that Silvo Micali taught me about probabilistic encryption while I was in grad school, so I’m suitably humbled.
Although I’m not sure, off hand, that you can combine a one-way hash with probabilistic encryption in a non-ugly way. Might just be a failure of my imagination, though.