zlacker

[parent] [thread] 3 comments
1. xvecto+(OP)[view] [source] 2021-06-06 00:20:01
If you use a hard hash function you cannot brute force that on a laptop - not even a tenth of that. You can, however, spin up compute instances to brute force it in a few days if you have $50k lying around.
replies(2): >>zeroim+Bc >>xxs+nG
2. zeroim+Bc[view] [source] 2021-06-06 02:47:25
>>xvecto+(OP)
What are the odds that a website will run a computationally hard hash function on every single HTTP request just so it can log something less sensitive than an IP address?
replies(1): >>josefx+ro
◧◩
3. josefx+ro[view] [source] [discussion] 2021-06-06 05:48:21
>>zeroim+Bc
The website could cache the hash for an hour or two.
4. xxs+nG[view] [source] 2021-06-06 10:45:39
>>xvecto+(OP)
>force that on a laptop

They said: "personal computer", which could easily have 2x GPUs and 16+ cores. Heck, laptops nowadays can have a pretty good discrete GPU.

Using password grade hash with a =nonce= is absolutely no way to be accomplished per each request. The nonce would have to be the same for multiple uses - hence NOT a 'nonce'. The sharing of the said non-nonce would require a form a replicated Map (or IP-sticky processing with a local map). It's rather convoluted solution for absolutely no benefit as it's still not hard to brute force.

Storing it in such a way - slow hash + salt yields no benefits for debugging either, so I wonder why would you do so? Password hashes are useful for proving a match with an unknown plain text (while making it expensive to brute force) - so what would be the exact purpose of having non-nonce+IP?

[go to top]