zlacker

There are only 2^32 possible IP addresses. You can brute-force that on a personal laptop.

>>gizmo6+(OP)
There's even less 'usable' ones, when you exclude private ranges etc...

>>vgaldi+N
And if you further restrict to US service provider ranges

>>gizmo6+(OP)
If you use a hard hash function you cannot brute force that on a laptop - not even a tenth of that. You can, however, spin up compute instances to brute force it in a few days if you have $50k lying around.

>>xvecto+i8
What are the odds that a website will run a computationally hard hash function on every single HTTP request just so it can log something less sensitive than an IP address?

>>zeroim+Tk
The website could cache the hash for an hour or two.

>>xvecto+i8
>force that on a laptop

They said: "personal computer", which could easily have 2x GPUs and 16+ cores. Heck, laptops nowadays can have a pretty good discrete GPU.

Using password grade hash with a =nonce= is absolutely no way to be accomplished per each request. The nonce would have to be the same for multiple uses - hence NOT a 'nonce'. The sharing of the said non-nonce would require a form a replicated Map (or IP-sticky processing with a local map). It's rather convoluted solution for absolutely no benefit as it's still not hard to brute force.

Storing it in such a way - slow hash + salt yields no benefits for debugging either, so I wonder why would you do so? Password hashes are useful for proving a match with an unknown plain text (while making it expensive to brute force) - so what would be the exact purpose of having non-nonce+IP?