<html><head></head><body bgcolor="#FFFFFF"><div>Salts don't work anymore.&nbsp;<br><br>Sent from your iPhone</div><div><br>On Feb 8, 2012, at 6:34 PM, John Adams &lt;<a href="mailto:jna@retina.net">jna@retina.net</a>&gt; wrote:<br><br></div><div></div><blockquote type="cite"><div><div>This is exactly the problem hashes were meant to solve. Just use a hash like md5 or, hash the numbers into strings and let the database sort it out.</div><div><br></div><div>You'll also want to salt the hashes, or otherwise it will be trivial to write a script to decode all numbers with a simple rainbow table attack.<br><br>Sent from my iPhone</div><div><br>On Feb 8, 2012, at 18:29, girlgeek &lt;<a href="mailto:girlgeek@wt.net">girlgeek@wt.net</a>&gt; wrote:<br><br></div><div></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    YES!&nbsp; A list (database table with index) really should NOT take very
    long to search a couple of thousand records in real time if written
    correctly.&nbsp; (Don't start me about writing code correctly).<br>
    -Claudia <br>
    On 2/8/2012 3:40 PM, Shannon Lee wrote:
    <blockquote cite="mid:CAGjxht=tLp-GqZCQUsPc+NX+Kcp2tJEpP1QeFHQMpv4FuNgncg@mail.gmail.com" type="cite">If you have an index if bcrypt'd phone numbers, you
      can simply bcrypt the incoming number and search the index for
      that hash, yes?
      <div><br>
      </div>
      <div>--S<br>
        <br>
        <div class="gmail_quote">On Wed, Feb 8, 2012 at 3:38 PM, Casey
          Callendrello <span dir="ltr">&lt;<a moz-do-not-send="true" href="mailto:c1@caseyc.net">c1@caseyc.net</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div class="im">On 2/8/2012 1:39 PM, Jonathan Lassoff wrote:<br>
              &gt; Perhaps bcrypt the phone number and store that
              instead? That way, you<br>
              &gt; can verify that something's in there, but it can't be
              easily figured<br>
              &gt; out what it is.<br>
              <br>
            </div>
            I'd thought about that. However, when a user dials in, we
            don't know<br>
            their username, so we have to just test their<br>
            "password" (the phone number) against every known entry. If
            the number<br>
            of bcrypt rounds is too high, then it takes forever. Is
            there a hashing<br>
            function I should choose that is efficient but will make
            just<br>
            enumerating all passwords too slow? There are about
            2360000000 possible<br>
            north-american phone numbers based on currently-allocated
            area codes.<br>
            <br>
            I suppose bcrypt will be fine provided that all possible
            numbers can be<br>
            quickly scanned.<br>
            <font color="#888888"><br>
              -c.<br>
            </font>
            <div>
              <div class="h5"><br>
                _______________________________________________<br>
                Noisebridge-discuss mailing list<br>
                <a moz-do-not-send="true" href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a><br>
                <a moz-do-not-send="true" href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss" target="_blank">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a><br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        Shannon Lee<br>
        (503) 539-3700<br>
        <br>
        "Any sufficiently analyzed magic is indistinguishable from
        science."<br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Noisebridge-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a>
<a class="moz-txt-link-freetext" href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a>
</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <p class="" avgcert""="" color="#000000" align="left">No virus
        found in this message.<br>
        Checked by AVG - <a moz-do-not-send="true" href="http://www.avg.com">www.avg.com</a><br>
        Version: 2012.0.1834 / Virus Database: 2112/4796 - Release Date:
        02/08/12</p>
    </blockquote>
    <br>
  

</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Noisebridge-discuss mailing list</span><br><span><a href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a></span><br><span><a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a></span><br></div></blockquote></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Noisebridge-discuss mailing list</span><br><span><a href="mailto:Noisebridge-discuss@lists.noisebridge.net">Noisebridge-discuss@lists.noisebridge.net</a></span><br><span><a href="https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss">https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss</a></span><br></div></blockquote></body></html>