[Cryptography] encrypting bcrypt hashes
Jonathan Thornburg
jthorn4242 at gmail.com
Wed Mar 8 11:53:43 EST 2017
On Wed, Mar 08, 2017 at 10:45:41AM +0000, Robin Wood wrote:
> The client is hashing 4-6 digit PINs (mostly 4 digit) with bcrypt, they
> have the work factor set as high as the business will allow them but they
> are worried that due to the small key space it will still be possible to
> reverse individual PINs. They are now thinking of encrypting the hashes
> before storing them to add an extra layer of protection. The encryption is
> fast enough to not affect login times so my suggestion of using the
> additional processing to increase the work factor instead was rejected.
What about salting the hash?
More generally, what's the threat model?
(Online attacks? Offline attacks after someone steals the database of
hashed PINs? Something else?)
ciao,
--
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
"There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time." -- George Orwell, "1984"
More information about the cryptography
mailing list