[Noisebridge-discuss] Access control & Safety, both personal and general space.

ryan rawson ryanobjc at gmail.com
Wed Feb 8 21:24:46 PST 2012


Salts don't work anymore. 

Sent from your iPhone

On Feb 8, 2012, at 6:34 PM, John Adams <jna at retina.net> wrote:

> This is exactly the problem hashes were meant to solve. Just use a hash like md5 or, hash the numbers into strings and let the database sort it out.
> 
> You'll also want to salt the hashes, or otherwise it will be trivial to write a script to decode all numbers with a simple rainbow table attack.
> 
> Sent from my iPhone
> 
> On Feb 8, 2012, at 18:29, girlgeek <girlgeek at wt.net> wrote:
> 
>> YES!  A list (database table with index) really should NOT take very long to search a couple of thousand records in real time if written correctly.  (Don't start me about writing code correctly).
>> -Claudia 
>> On 2/8/2012 3:40 PM, Shannon Lee wrote:
>>> 
>>> If you have an index if bcrypt'd phone numbers, you can simply bcrypt the incoming number and search the index for that hash, yes?       
>>> 
>>> --S
>>> 
>>> On Wed, Feb 8, 2012 at 3:38 PM, Casey Callendrello <c1 at caseyc.net> wrote:
>>> On 2/8/2012 1:39 PM, Jonathan Lassoff wrote:
>>> > Perhaps bcrypt the phone number and store that instead? That way, you
>>> > can verify that something's in there, but it can't be easily figured
>>> > out what it is.
>>> 
>>> I'd thought about that. However, when a user dials in, we don't know
>>> their username, so we have to just test their
>>> "password" (the phone number) against every known entry. If the number
>>> of bcrypt rounds is too high, then it takes forever. Is there a hashing
>>> function I should choose that is efficient but will make just
>>> enumerating all passwords too slow? There are about 2360000000 possible
>>> north-american phone numbers based on currently-allocated area codes.
>>> 
>>> I suppose bcrypt will be fine provided that all possible numbers can be
>>> quickly scanned.
>>> 
>>> -c.
>>> 
>>> _______________________________________________
>>> Noisebridge-discuss mailing list
>>> Noisebridge-discuss at lists.noisebridge.net
>>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>> 
>>> 
>>> 
>>> -- 
>>> Shannon Lee
>>> (503) 539-3700
>>> 
>>> "Any sufficiently analyzed magic is indistinguishable from science."
>>> 
>>> 
>>> _______________________________________________
>>> Noisebridge-discuss mailing list
>>> Noisebridge-discuss at lists.noisebridge.net
>>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>> 
>>> 
>>> No virus found in this message.
>>> Checked by AVG - www.avg.com
>>> Version: 2012.0.1834 / Virus Database: 2112/4796 - Release Date: 02/08/12
>>> 
>> 
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120208/df961f1f/attachment.htm 


More information about the Noisebridge-discuss mailing list