[Noisebridge-discuss] Access control & Safety, both personal and general space.
jof at thejof.com
Wed Feb 8 16:16:14 PST 2012
On Wed, Feb 8, 2012 at 4:14 PM, Jonathan Lassoff <jof at thejof.com> wrote:
> On Wed, Feb 8, 2012 at 3:49 PM, Daniel Pitts <coloraura.com at gmail.com> wrote:
>> There isn't much point in encrypting a phone number, the number of bits
>> of entropy is so low that a brute-force attack would be *extremely* easy
>> to execute.
> True! And this is why I suggest using bcrypt. Brute-force generation
> of bcrypt hashes for *every* phone number is variably-hard (by tuning
> the "cost" of bcrypt).
Now that I'm thinking about it. If you're in the position that you can
brute-force every phone number to enumerate the database, you can
already get into the space pretty easily :p
That said, the risk is that you could get the phone numbers of the
users of the system, and called ID is really easy to spoof.
More information about the Noisebridge-discuss