[Noisebridge-discuss] Access control & Safety, both personal and general space.
Casey Callendrello
c1 at caseyc.net
Wed Feb 8 23:46:17 UTC 2012
No, because bcrypt randomly generates a salt and stores it in the
password hash. So you can only compare given plaintext against a
specific, already-existing hash.
--Casey
On 2/8/2012 3:40 PM, Shannon Lee wrote:
> If you have an index if bcrypt'd phone numbers, you can simply bcrypt
> the incoming number and search the index for that hash, yes?
>
> --S
>
> On Wed, Feb 8, 2012 at 3:38 PM, Casey Callendrello <c1 at caseyc.net
> <mailto:c1 at caseyc.net>> wrote:
>
> On 2/8/2012 1:39 PM, Jonathan Lassoff wrote:
> > Perhaps bcrypt the phone number and store that instead? That
> way, you
> > can verify that something's in there, but it can't be easily figured
> > out what it is.
>
> I'd thought about that. However, when a user dials in, we don't know
> their username, so we have to just test their
> "password" (the phone number) against every known entry. If the number
> of bcrypt rounds is too high, then it takes forever. Is there a
> hashing
> function I should choose that is efficient but will make just
> enumerating all passwords too slow? There are about 2360000000
> possible
> north-american phone numbers based on currently-allocated area codes.
>
> I suppose bcrypt will be fine provided that all possible numbers
> can be
> quickly scanned.
>
> -c.
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> <mailto:Noisebridge-discuss at lists.noisebridge.net>
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
>
>
> --
> Shannon Lee
> (503) 539-3700
>
> "Any sufficiently analyzed magic is indistinguishable from science."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120208/d1f8b1a4/attachment.html>
More information about the Noisebridge-discuss
mailing list