[Noisebridge-discuss] Access control & Safety, both personal and general space.

Casey Callendrello c1 at caseyc.net
Wed Feb 8 15:46:17 PST 2012


No, because bcrypt randomly generates a salt and stores it in the 
password hash. So you can only compare given plaintext against a 
specific, already-existing hash.

--Casey

On 2/8/2012 3:40 PM, Shannon Lee wrote:
> If you have an index if bcrypt'd phone numbers, you can simply bcrypt 
> the incoming number and search the index for that hash, yes?
>
> --S
>
> On Wed, Feb 8, 2012 at 3:38 PM, Casey Callendrello <c1 at caseyc.net 
> <mailto:c1 at caseyc.net>> wrote:
>
>     On 2/8/2012 1:39 PM, Jonathan Lassoff wrote:
>     > Perhaps bcrypt the phone number and store that instead? That
>     way, you
>     > can verify that something's in there, but it can't be easily figured
>     > out what it is.
>
>     I'd thought about that. However, when a user dials in, we don't know
>     their username, so we have to just test their
>     "password" (the phone number) against every known entry. If the number
>     of bcrypt rounds is too high, then it takes forever. Is there a
>     hashing
>     function I should choose that is efficient but will make just
>     enumerating all passwords too slow? There are about 2360000000
>     possible
>     north-american phone numbers based on currently-allocated area codes.
>
>     I suppose bcrypt will be fine provided that all possible numbers
>     can be
>     quickly scanned.
>
>     -c.
>
>     _______________________________________________
>     Noisebridge-discuss mailing list
>     Noisebridge-discuss at lists.noisebridge.net
>     <mailto:Noisebridge-discuss at lists.noisebridge.net>
>     https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
>
>
> -- 
> Shannon Lee
> (503) 539-3700
>
> "Any sufficiently analyzed magic is indistinguishable from science."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120208/d1f8b1a4/attachment.htm 


More information about the Noisebridge-discuss mailing list