zlacker

[parent] [thread] 2 comments
1. kenton+(OP)[view] [source] 2025-06-02 19:59:41
Learning a prefix of the hash doesn't really get you anywhere. The hash itself isn't a secret -- it could be published publicly without breaking the security model. You still need to derive a token that hashes to that value in full, and if you can do that then you've broken the hash algorithm by definition.
replies(2): >>ZiiS+oc >>ZiiS+gOb
2. ZiiS+oc[view] [source] 2025-06-02 21:24:35
>>kenton+(OP)
Yes I guess if you trust the hash implementation completly; I just favour a bit more defence in depth.
3. ZiiS+gOb[view] [source] 2025-06-07 06:24:52
>>kenton+(OP)
Say I got a memory dump from the client system. I don't know what is what but the secret is in their somewhere.

Filtering it down by the hash prefix locally is much leas likly to be detected then spamming the servers.

[go to top]