[Noisebridge-discuss] Access control & Safety, both personal and general space.
c1 at caseyc.net
Wed Feb 8 15:46:17 PST 2012
No, because bcrypt randomly generates a salt and stores it in the
password hash. So you can only compare given plaintext against a
specific, already-existing hash.
On 2/8/2012 3:40 PM, Shannon Lee wrote:
> If you have an index if bcrypt'd phone numbers, you can simply bcrypt
> the incoming number and search the index for that hash, yes?
> On Wed, Feb 8, 2012 at 3:38 PM, Casey Callendrello <c1 at caseyc.net
> <mailto:c1 at caseyc.net>> wrote:
> On 2/8/2012 1:39 PM, Jonathan Lassoff wrote:
> > Perhaps bcrypt the phone number and store that instead? That
> way, you
> > can verify that something's in there, but it can't be easily figured
> > out what it is.
> I'd thought about that. However, when a user dials in, we don't know
> their username, so we have to just test their
> "password" (the phone number) against every known entry. If the number
> of bcrypt rounds is too high, then it takes forever. Is there a
> function I should choose that is efficient but will make just
> enumerating all passwords too slow? There are about 2360000000
> north-american phone numbers based on currently-allocated area codes.
> I suppose bcrypt will be fine provided that all possible numbers
> can be
> quickly scanned.
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> <mailto:Noisebridge-discuss at lists.noisebridge.net>
> Shannon Lee
> (503) 539-3700
> "Any sufficiently analyzed magic is indistinguishable from science."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noisebridge-discuss