[Noisebridge-discuss] Access control & Safety, both personal and general space.
Jonathan Lassoff
jof at thejof.com
Thu Feb 9 00:16:14 UTC 2012
On Wed, Feb 8, 2012 at 4:14 PM, Jonathan Lassoff <jof at thejof.com> wrote:
> On Wed, Feb 8, 2012 at 3:49 PM, Daniel Pitts <coloraura.com at gmail.com> wrote:
>> There isn't much point in encrypting a phone number, the number of bits
>> of entropy is so low that a brute-force attack would be *extremely* easy
>> to execute.
>
> True! And this is why I suggest using bcrypt. Brute-force generation
> of bcrypt hashes for *every* phone number is variably-hard (by tuning
> the "cost" of bcrypt).
Now that I'm thinking about it. If you're in the position that you can
brute-force every phone number to enumerate the database, you can
already get into the space pretty easily :p
That said, the risk is that you could get the phone numbers of the
users of the system, and called ID is really easy to spoof.
--j
More information about the Noisebridge-discuss
mailing list